https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/Recent content in Snowflake onHugoenhttps://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/overview/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/overview/<ol id="toc"></ol> <script> // JavaScript to generate the table of contents from H2 headings document.addEventListener("DOMContentLoaded", function () { //get all h2 headings within the 'main' element and generate a toc with links to them //excluding h2 heading 'Feedback' if it exists const toc = document.getElementById("toc"); const headings = document.querySelectorAll("main h2"); headings.forEach(heading => { if (heading.textContent === "Feedback") { return; // Skip the 'Feedback' heading } const li = document.createElement("li"); const a = document.createElement("a"); const id = heading.textContent.toLowerCase().replace(/\s+/g, '-'); heading.id = id; // Set the id for the heading a.href = `#${id}`; a.textContent = heading.textContent; li.appendChild(a); toc.appendChild(li); }); }); </script> <h2 id="solution-overview">Solution Overview</h2> <p>Snowflake Protector on Google Cloud is a cloud native, serverless product for fine-grained data protection with Snowflake™, a managed Cloud data warehouse. This enables invocation of the Protegrity data protection cryptographic methods from the Snowflake SQL execution context. The benefits of serverless include rapid auto-scaling, performance, low administrative overhead, and reduced infrastructure costs compared to a server-based solution.</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/architecture/<ol id="toc"></ol> <script> // JavaScript to generate the table of contents from H2 headings document.addEventListener("DOMContentLoaded", function () { //get all h2 headings within the 'main' element and generate a toc with links to them //excluding h2 heading 'Feedback' if it exists const toc = document.getElementById("toc"); const headings = document.querySelectorAll("main h2"); headings.forEach(heading => { if (heading.textContent === "Feedback") { return; // Skip the 'Feedback' heading } const li = document.createElement("li"); const a = document.createElement("a"); const id = heading.textContent.toLowerCase().replace(/\s+/g, '-'); heading.id = id; // Set the id for the heading a.href = `#${id}`; a.textContent = heading.textContent; li.appendChild(a); toc.appendChild(li); }); }); </script> <p> <h2 id="deployment-architecture">Deployment Architecture</h2> <p>The Protegrity product should be deployed in the customer&rsquo;s Cloud account within the same Google Cloud region as the Snowflake cluster. The product incorporates Protegrity&rsquo;s vaultless tokenization engine within Google Cloud Functions. The encrypted data security policy from an ESA is deployed periodically as a static resource together with Cloud Function binaries. The policy is decrypted in memory at runtime within the Cloud Function. This architecture allows Protegrity to be highly available and scale very quickly without direct dependency on any other Protegrity services.</p>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/no-access-behavior/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/no-access-behavior/<p>The security policy maintains a <strong>No Access Operation</strong>, configured in an ESA, which determines the response for unauthorized unprotect requests.</p> <p><img src="https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/images/ssf_no_access_behavior.png" alt=""></p> <p>The following table describes the value returned to the UDF function for various cases:</p> <table> <thead> <tr> <th>No Access Operation</th> <th>Data Returned</th> </tr> </thead> <tbody> <tr> <td>Null</td> <td><strong>null</strong></td> </tr> <tr> <td>Protected</td> <td><strong>(protected value)</strong></td> </tr> <tr> <td>Exception</td> <td><strong>Query will return an exception</strong></td> </tr> </tbody> </table> <div class="alert alert-info" role="alert"> <h4 class="alert-heading">Note</h4> An unauthorized protect will throw an exception. </div>https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/upgrading/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/upgrading/<div class="alert alert-warning" role="alert"> <h4 class="alert-heading">Important</h4> <ul> <li>Upgrading the Policy Agent component to version <strong>4</strong> from any previous major version requires a new installation</li> <li>Upgrading the Protector component to version <strong>4</strong> from any previous major version requires a new installation</li> <li>Upgrading the Log Forwarder component to version <strong>4</strong> from any previous major version requires a new installation</li> </ul> </div> <!-- Disabled for this release; re-enable in a future release: readfile /docs/gcp/common/upgrading/index.txt -->https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/known-limitations/Mon, 01 Jan 0001 00:00:00 +0000https://docs.protegrity.com/cloud-protect/4.0.0/docs/gcp/snowflake/known-limitations/<ul> <li> <p>Only protect and unprotect operations are supported. The re-protect operation is not supported.</p> </li> <li> <p>The Semi-structured (JSON) data type is not supported in the product.</p> </li> </ul> <ul> <li> <p><strong>Cloud Function (Gen2) labels must not be updated from the Cloud Run Services console.</strong> When updating labels for a GCP Cloud Function (Gen2) through the <strong>Cloud Run Services</strong> console, GCP creates a new Cloud Run revision with the updated labels, but the underlying Cloud Function retains the old labels. Because the policy agent reads labels from the Cloud Function definition (not the Cloud Run revision), it will not detect the label change and will not trigger a policy update.</p>