Security

Workbench | Advanced

Ingress traffic

The Snowflake Workbench Native App is accessible via a secured subdomain provided by Snowflake, such as https://<prefix>.snowflakecomputing.com. Access is managed by Snowflake SPCS Ingress. All standard Snowflake authentication methods, including organizational SSO requirements, apply. For details on ingress, see Ingress using a Service from outside Snowflake.

For details on granting specific roles ingress access, see Grant access to Posit Workbench.

Egress traffic

By default, the Workbench Native App allows open egress traffic. This is managed using network rules.

To restrict egress, refer to changing the egress policy. The Workbench application itself only connects to Snowflake for the following purposes:

  • OAuth authentication flow

  • Database ODBC driver calls

  • OCSP certificate validation

However, users can make arbitrary external requests, so administrators are advised to restrict egress where appropriate.

Default egress policy

The Native App’s default egress policy includes these endpoints. Optional ones can be removed:

Endpoint Required Description
<organization>-<account>.snowflakecomputing.com:443 Yes For Snowflake OAuth and ODBC queries
ocsp.snowflakecomputing.com:80 Yes For Snowflake certificate validation
open-vsx.org:443, openvsxorg.blob.core.windows.net:443 Optional To download VSCode extensions
p3m.dev:443, rspm-sync.rstudio.com:443 Optional For downloading PyPi, R, and Bioconductor packages from Posit-managed mirror
0.0.0.0:443, 0.0.0.0:80 Optional Allows open egress; required for Snowflake VSCode Extension functionality

You can determine your Snowflake account’s endpoint using this SQL query:

SELECT REPLACE(LOWER(CURRENT_ORGANIZATION_NAME()), '_', '-') || '-' || REPLACE(LOWER(CURRENT_ACCOUNT_NAME()), '_', '-') || '.snowflakecomputing.com';

You can verify the generated URL by visiting it in your browser; it should redirect to your Snowflake account where the Workbench Native App is hosted.

For further details, see Snowflake Network Rules.

Root access in the Workbench Native App

Root access within the Workbench is strictly disabled. No user, including administrators, has sudo access. This ensures:

  • System reliability

  • User data isolation (no access to other users’ files)

  • Protection of managed OAuth credentials

Back to top