Use Connect in Snowflake

Private Preview | Connect | Advanced

Overview

Posit Connect on Snowflake provides an easy-to-use platform for data scientists and researchers to deploy interactive data applications and publish their research findings. This increases their visibility and accessibility to their organization’s key stakeholders. For more information about how to use Connect, refer to the Admin and User guides.

Setup

Configuration

License

Contact your Posit customer success manager to obtain your Connect license file.

Compute pool

The compute pool size you choose is dependent on how you plan to use your instance of Connect.

For a small team (3-5 users) that produces a few pieces of content each day, use at least a small compute cluster. To better understand your team’s needs, we recommend starting with a size slightly larger than you may need (which avoids OOM errors), monitoring the resource usage, and then adjusting your compute cluster size accordingly.

SMTP configuration

Prerequisites

• Open ports 465 and/or 587 for your organization’s account.
• Open a support ticket within the Snowflake dashboard citing that you are using the Posit Team native application and request to open the specific SMTP port (either 465 or 587) that your organization’s mail server uses.

Enable the email request header

Connect uses a variant of proxied authentication while running behind Snowflake’s ingress proxy server. For Connect to know what a user’s email address is to send the email reports and updates to, the Sf-Context-Current-User-Email header must be enabled for your account. Open a support ticket to enable this feature.

Settings

During the setup process and within the management screen, you are able to configure your SMTP server settings. See the Connect SMTP configuration documentation for more information.

SMTP egress policy

Connect requires a network policy to be created to allow outbound SMTP traffic. Run the following query within the POSIT_TEAM_APP_DATA.DATA schema. This query requires that the admin role be granted the permissions of the native application’s admin role. Refer to the Snowflake network policy documentation for a detailed explanation.

SnowsightUI

CREATE OR REPLACE NETWORK RULE CONNECT_SMTP_EGRESS
    MODE = EGRESS
    TYPE = HOST_PORT
    VALUE_LIST = ('smtp.your-organization.com:587');
ALTER EXTERNAL ACCESS INTEGRATION CONNECT_EGRESS SET
    ALLOWED_NETWORK_RULES = (CONNECT_EGRESS, CONNECT_SMTP_EGRESS);

OAuth integrations

Administrators

To enable secure access to resources in Snowflake or other service providers, Connect administrators must set up OAuth integrations that content publishers can leverage. See the guides lists here to learn more.

Since Posit Team is native to Snowflake, it is highly recommended that the administrator creates the necessary Snowflake OAuth integrations to enable publishers to access their data.

Publishers

See the Connect documentation to learn how to associate these integrations with your content once it is published.

Caveats

Currently, it is not possible to set up an AWS Service Account OAuth integration since AWS requires there to be a public OIDC configuration endpoint to use to validate the workload identity tokens created by Connect for assuming IAM roles. All traffic must be authenticated with Snowflake to reach any endpoint exposed by a service on SPCS. You can still use the AWS Viewer authentication type integration since that validation happens external to Connect.

Publishing Content

Publishing from within Posit Team

When publishing content from Posit Team Workbench to Posit Team Connect, it is possible to authenticate using the traditional Connect API key method with rsconnect-python, rsconnect, or the Publisher extension.

To set up these publishing tools and take advantage of this authentication method, you must use http://connect/ as the Connect server url.

Publishing from outside Posit Team

Snowflake clients read configuration from some well-known locations. You can customize this location by setting SNOWFLAKE_HOME to the directory of your choice, or use the locations below:

• macOS: ~/.snowflake/
• Linux: ~/.config/snowflake/

The steps below assume you are working on macOS and have not already set up a Snowflake connection file using key-pair authentication. Otherwise, you can use your existing connections to publish to Connect within Posit Team.

Terminal

# create a directory for your configuration
mkdir -p ~/.snowflake/ && cd $_
touch connections.toml && chmod 600 $_

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
chmod 600 rsa_key.p8
# copy your public key
grep -v '\-' rsa_key.pub | pbcopy

Copy the info below, and paste it into the connections.toml file you created in the previous step.

connections.toml

[default]
account = "<account-id>"
user = "<first.last@example.co>"
role = "PUBLIC"
authenticator = "SNOWFLAKE_JWT"
private_key_file = "/absolute/path/to/.snowflake/rsa_key.p8"

Once you confirm your public key has been added by your Snowflake administrator, run the following command (which will require that you have uv installed):

Terminal

uvx --from snowflake-cli snow connection test


#### rsconnect-python Installation/Deployment

Snowflake connection support is available when using `rsconnect-python`

```{.bash filename="Terminal"}
python -m pip install "rsconnect-python[snowflake]"

It looks up the connection names in ~/.snowflake/connections.toml

Example of deploying a Shiny app:

Terminal

rsconnect add -n snowflake-connect —snowflake-connection-name your-sf-connection-name -s https://<instance-id>-<account-id>.snowflakecomputing.app/ 
rsconnect deploy shiny -n snowflake-connect "/path/to/app"

rsconnect installation

install.packages("renv")
renv::install("rstudio/rsconnect")
rsconnect::addServer(
  "https://<instance-id>-<account-id>.snowflakecomputing.app", 
  name = "spcs", 
  snowflakeConnectionName = "default"
)
rsconnect::connectSPCSUser(server = "spcs", snowflakeConnectionName = "default")

Publisher extension deployment (Positron, VSCode)

This functionality is available on version 1.16.0 of the publisher extension in the extension marketplace.

• Install the Publisher extension (version >1.16.0)
• When running through the Deploy your project steps, use the Native App Connect URL: https://<instance-id>-<account-id>.snowflakecomputing.app/. Config from your local connections.toml file authenticates against Snowflake.

FAQ

Is SMTP configuration required to run Connect?

No. It is recommended as a number of core Connect features depend on sending emails.

Can I set up my SMTP server with ports other than 465 or 587?

No. These are the only ones supported by SPCS.

Can I share public links with Connect on Snowflake?

No. All traffic must be authenticated with Snowflake to reach services within SPCS.

Are updates to Connect automatic?

No. When the native app is updated, the administrator still decides when to upgrade each product in their respective “Manage” screens.