Skip to main content

πŸ“–

Key Terms β€” Secure Data Sharing

β€”

Secure Data Sharing

Snowflake's mechanism for sharing live, read-only data between accounts without copying data. No ETL, no file transfers β€” consumers query shared data in place.

β€”

Share

A Snowflake object (CREATE SHARE) that defines which objects (databases, schemas, tables, views) are shared and with which accounts.

β€”

Provider

The account that creates and owns the share β€” controls what data is shared and with whom.

β€”

Consumer

The account that receives the share and creates a read-only database from it.

β€”

Reader Account

A managed account created by the provider for consumers who do not have their own Snowflake account. The provider pays for the reader's compute.

β€”

Snowflake Marketplace

A platform for discovering and consuming shared data products from third-party providers β€” both free and paid listings.

What is Secure Data Sharing?

Secure Data Sharing allows Snowflake accounts to share live, read-only data without copying, moving, or transferring files. Consumers query the provider’s data directly β€” always up to date, zero ETL.

Secure Data Sharing Architecture

Diagram: Provider Account on the left owns tables stored in micro-partitions in shared cloud storage. Provider creates a SHARE object granting access to specific tables/views. Consumer Account on the right creates a database FROM SHARE, which is a read-only pointer to the provider's micro-partitions. No data is copied β€” the consumer queries the provider's storage directly. Both accounts must be in the same cloud region (or use replication for cross-region).

Provider account sharing micro-partitions with consumer account via SHARE object, no data copy
🎯Exam Focus: No Data Movement

Secure Data Sharing involves zero data copying. The consumer reads the provider’s micro-partitions directly. This means: instant availability of new data, no storage cost for the consumer (only compute), and no ETL pipelines to maintain.

Creating and Managing Shares

Provider: Creating a Share
1-- Step 1: Create the share
2CREATE SHARE sales_share;
3
4-- Step 2: Grant access to objects
5GRANT USAGE ON DATABASE sales_db TO SHARE sales_share;
6GRANT USAGE ON SCHEMA sales_db.public TO SHARE sales_share;
7GRANT SELECT ON TABLE sales_db.public.orders TO SHARE sales_share;
8GRANT SELECT ON TABLE sales_db.public.customers TO SHARE sales_share;
9
10-- Step 3: Add consumer accounts
11ALTER SHARE sales_share ADD ACCOUNTS = org1.consumer_acct;
12
13-- View shares
14SHOW SHARES;
15DESCRIBE SHARE sales_share;
Consumer: Using a Share
1-- View available shares
2SHOW SHARES;
3
4-- Create a database from the share
5CREATE DATABASE shared_sales FROM SHARE provider_org.provider_acct.sales_share;
6
7-- Grant access to roles
8GRANT IMPORTED PRIVILEGES ON DATABASE shared_sales TO ROLE analyst_role;
9
10-- Query shared data (read-only)
11SELECT * FROM shared_sales.public.orders LIMIT 10;
πŸ”‘Share Constraints
  • Shared data is read-only for consumers β€” no INSERT, UPDATE, or DELETE
  • Consumers can only create a database from a share, not individual tables
  • The privilege granted to consumer roles is IMPORTED PRIVILEGES, not SELECT
  • Shares work between accounts in the same cloud region by default (use database replication for cross-region)

Sharing Secure Views

Providers typically share secure views rather than base tables to control exactly what data consumers can see.

Sharing via Secure Views
1-- Create a secure view that filters data per consumer
2CREATE OR REPLACE SECURE VIEW sales_db.public.v_orders_shared AS
3SELECT order_id, order_date, product, amount
4FROM sales_db.public.orders
5WHERE region = CURRENT_ACCOUNT();  -- Row-level filtering
6
7-- Grant the secure view to the share
8GRANT SELECT ON VIEW sales_db.public.v_orders_shared TO SHARE sales_share;
🎯Exam Focus: Why Secure Views?

Secure views hide the view definition from consumers (no SHOW CREATE VIEW). This prevents consumers from reverse-engineering your data model or filter logic. Regular views expose their SQL β€” never share a regular view if the logic is sensitive.

Sharing Objects

Shareable vs Non-Shareable Objects

Feature
Can Be Shared
Cannot Be Shared
Tables
Yes β€” SELECT granted to share
β€”
Secure views
Yes β€” recommended for row/column filtering
Regular views (can share but definition is visible)
Secure UDFs
Yes β€” share custom functions
Regular UDFs (definition visible)
Databases/Schemas
USAGE grant required on container objects
Cannot share individual schemas without database
Stages/Tasks/Pipes
β€”
Cannot be shared
Stored procedures
β€”
Cannot be shared

Reader Accounts

Reader accounts are for consumers who do not have their own Snowflake account. The provider creates and manages the reader account, and pays for its compute.

Creating a Reader Account
1-- Create a managed (reader) account
2CREATE MANAGED ACCOUNT partner_reader
3ADMIN_NAME = 'partner_admin'
4ADMIN_PASSWORD = 'SecurePass123!'
5TYPE = READER;
6
7-- Add the reader account to the share
8ALTER SHARE sales_share ADD ACCOUNTS = partner_reader;

Full Account vs Reader Account Consumer

Feature
Full Snowflake Account
Reader Account
Who pays for compute
βœ“Consumer pays their own compute
Provider pays for reader's compute
Account management
Consumer manages independently
Provider creates and manages
Can consume multiple shares
βœ“Yes β€” from any provider
Only from the creating provider
Can create own objects
βœ“Yes β€” full Snowflake account
Limited β€” primarily for querying shared data
Marketplace access
βœ“Yes
No
🎯Exam Focus: Who Pays?

Full account consumers pay their own compute costs. Reader account compute is billed to the provider. Storage is always the provider’s cost since data is never copied.

Snowflake Marketplace

The Snowflake Marketplace is a platform where providers publish data products that any Snowflake account can discover and consume.

Snowflake Marketplace

Diagram: Three layers. Top: Data Providers publish listings (free or paid) to the Marketplace. Middle: Snowflake Marketplace acts as a discovery and governance platform. Bottom: Data Consumers browse, request access, and create databases from listings. Listings can be Standard (available to all) or Personalised (customised per consumer). Paid listings use Snowflake's billing integration.

Marketplace connecting data providers to consumers through listings
ℹ️Marketplace Listing Types
  • Standard listings: same data for all consumers (e.g., weather data, postcode lookups)
  • Personalised listings: customised data per consumer (e.g., vendor-specific analytics)
  • Free listings: no charge, instant access
  • Paid listings: commercial data products with Snowflake-managed billing

Data Exchange

A Data Exchange is a private marketplace β€” a curated group of accounts that can share data with each other. Unlike the public Marketplace, membership is controlled by the exchange administrator.

ℹ️Data Exchange vs Marketplace

The public Marketplace is open to all Snowflake accounts. A Data Exchange is a private, invite-only group β€” ideal for sharing within an organisation, industry consortium, or partner network.

Cheat Sheet

πŸ“‹
Quick Reference

Secure Data Sharing Quick Reference

πŸ”—
Key Facts
Data movement
None β€” consumer reads provider's micro-partitions
Consumer access
Read-only
Storage cost
Provider only (no copy for consumer)
Compute cost
Consumer pays (except Reader accounts)
Region
Same region by default; replication for cross-region
πŸ“€
Provider Commands
Create share
CREATE SHARE share_name
Grant objects
GRANT SELECT ON TABLE t TO SHARE s
Add consumer
ALTER SHARE s ADD ACCOUNTS = org.acct
Reader account
CREATE MANAGED ACCOUNT ... TYPE = READER
πŸ“₯
Consumer Commands
Create from share
CREATE DATABASE db FROM SHARE org.acct.share
Grant access
GRANT IMPORTED PRIVILEGES ON DATABASE db TO ROLE r
View shares
SHOW SHARES

Practice Quiz

Data Protection

What happens to data when a provider shares a table with a consumer?
Data Protection

Who pays for compute when a Reader Account queries shared data?
Data Protection

What privilege does a consumer grant to roles to access a shared database?

Flashcards

Data Protection
QUESTION

How does Secure Data Sharing work at the storage level?

Click to reveal answer
ANSWER

No data is copied. The consumer creates a read-only database that references the provider's micro-partitions directly. Both accounts access the same physical storage. Consumer pays only for compute; provider pays for storage.

Click to see question
Data Protection
QUESTION

What is a Reader Account and who pays for it?

Click to reveal answer
ANSWER

A Reader Account is a managed Snowflake account created by the provider for consumers who do not have their own Snowflake account. The provider pays for the reader's compute. Reader accounts can only consume shares from the provider that created them.

Click to see question
Data Protection
QUESTION

Why should you share secure views instead of base tables?

Click to reveal answer
ANSWER

Secure views hide the view definition from consumers, preventing them from seeing your data model or filter logic. They also enable row-level and column-level filtering using functions like CURRENT_ACCOUNT(). Regular views expose their SQL to anyone with access.

Click to see question
Data Protection
QUESTION

What is the difference between Snowflake Marketplace and a Data Exchange?

Click to reveal answer
ANSWER

The Marketplace is public β€” any Snowflake account can discover and consume listings. A Data Exchange is a private, invite-only group controlled by an administrator. Data Exchanges are ideal for intra-organisation or partner sharing.

Click to see question
Data Protection
QUESTION

What objects can be included in a share?

Click to reveal answer
ANSWER

Tables, secure views, and secure UDFs. You must also grant USAGE on the containing database and schema. Stages, tasks, pipes, and stored procedures cannot be shared.

Click to see question

Resources

Next Steps

Reinforce what you just read

Study the All flashcards with spaced repetition to lock it in.

Study flashcards β†’