Network policies
If your Snowflake account has an active network policy, you might encounter issues with the Posit Team Native App during the OAuth flow or while running Snowflake SQL queries from within Posit Workbench sessions or Posit Connect using the Snowflake integration. For more details on activating a network policy for your account, refer to Snowflake’s network policies documentation.
Which instructions to follow
Your organization might use account-level network policies, user-level network policies, or both. Follow the appropriate section based on your configuration:
Account-level network policy: Your organization has a single policy applied at the account level. Follow Account-level network policies.
User-level network policy: Your organization assigns network policies to individual users. Follow User-level network policies.
You can check your current network policy configuration with:
Snowsight UI
-- Check account-level policy
SHOW PARAMETERS LIKE '%NETWORK_POLICY%' IN ACCOUNT;
-- Check user-level policy for current user
SHOW PARAMETERS LIKE '%NETWORK_POLICY%' FOR USER;Common errors
You will often see errors in the following forms:
- OAuth Flow Error in Workbench or Connect
Error messages:
Error 100: Error occurred while executing method.Error 230: {"code":230,"error":"invalid_client","payload":""}These errors typically occur during the Workbench managed credential OAuth flow.
- SQL Query Error:
Error message:
Incoming request with IP/Token aaa.bbb.ccc.ddd is not allowed to access Snowflake. Contact your account administrator.Occurs when executing SQL queries via R, Python, or a CLI in the Native App.
These errors occur because Snowflake does not trust the public IPs originating from Snowpark Container Services (SPCS) (e.g., Workbench Native App). To resolve this, add the public IPs associated with your Workbench deployment to the allowed list.
Account-level network policies
If your organization uses an account-level network policy, follow these steps to allow connections from Posit Team.
Step 1: Obtain the public IPs
You can identify the public IPs of your Workbench deployment by running one of the following scripts. This example uses checkip.amazonaws.com, a trusted service, to fetch the IP addresses. Ensure that your egress policy allows traffic to checkip.amazonaws.com:443.
Python Console
import requests
ips = {
requests.get('https://checkip.amazonaws.com').text.strip()
for _ in range(20)
}
print('\n'.join(ips))R Console
library(httr2)
ips <- replicate(20, {
req <- request("https://checkip.amazonaws.com/")
resp <- req_perform(req)
trimws(resp_body_string(resp))
})
cat(unique(ips), sep="\n")Terminal
for i in {1..20}; do
curl -s https://checkip.amazonaws.com
done | sort -uThis process typically returns three IPs, but repeat the commands if necessary to ensure all IPs are captured.
Step 2: Update the network policy
Once you have the public IPs, add them to the ALLOWED_NETWORK_RULE_LIST of your Snowflake account’s active network policy. This change will allow the Workbench Native App to authenticate and execute queries successfully.
Example SQL to update the network policy:
Snowsight UI
CREATE OR REPLACE NETWORK RULE POSIT_TEAM_PUBLIC_IPS
TYPE = IPV4
VALUE_LIST = ('new_workbench_ip_1', 'new_workbench_ip_2', 'new_workbench_ip_3')
MODE = INGRESS
COMMENT = 'Posit Team public egress IPs';
ALTER NETWORK POLICY your_network_policy_name ADD ALLOWED_NETWORK_RULE_LIST = 'POSIT_TEAM_PUBLIC_IPS';
DESC NETWORK POLICY your_network_policy_name;Changes to the network policy take effect within five seconds. OAuth flows and SQL queries resolve immediately.
User-level network policies
If your organization uses user-level network policies (rather than only an account-level policy), you must create a network policy with the Posit public IPs and attach it to both the OAuth security integration and each user who will use Posit Team.
Step 1: Create a network rule with Posit IPs
First, obtain the public IPs by following Obtain the public IPs.
Then create a network rule containing those IPs:
Snowsight UI
CREATE OR REPLACE NETWORK RULE POSIT_TEAM_PUBLIC_IPS
TYPE = IPV4
VALUE_LIST = ('ip_1', 'ip_2', 'ip_3')
MODE = INGRESS
COMMENT = 'Posit Team public egress IPs';Step 2: Create or update a user-level network policy
Create a new network policy that includes the Posit Team network rule:
Snowsight UI
CREATE NETWORK POLICY IF NOT EXISTS USER_NETWORK_POLICY_POSIT
ALLOWED_NETWORK_RULE_LIST = ('POSIT_TEAM_PUBLIC_IPS');Or, if you have an existing user-level policy, add the network rule to it:
Snowsight UI
ALTER NETWORK POLICY your_user_policy
ADD ALLOWED_NETWORK_RULE_LIST = ('POSIT_TEAM_PUBLIC_IPS');Step 3: Attach the policy to the security integration
You must attach the network policy to the OAuth security integration. Otherwise, OAuth authentication will fail even if your user-level policy allows the IPs.
For Workbench:
Snowsight UI
ALTER SECURITY INTEGRATION POSIT_TEAM_WORKBENCH_OAUTH
SET NETWORK_POLICY = USER_NETWORK_POLICY_POSIT;For Connect:
Snowsight UI
ALTER SECURITY INTEGRATION POSIT_TEAM_CONNECT_OAUTH
SET NETWORK_POLICY = USER_NETWORK_POLICY_POSIT;For more information, refer to Snowflake’s documentation on network policies for security integrations.
Step 4: Assign the policy to users
Assign the network policy to each user who will use Posit Team:
Snowsight UI
ALTER USER <user_name> SET NETWORK_POLICY = USER_NETWORK_POLICY_POSIT;Changes to the network policy take effect within five seconds. OAuth flows and SQL queries resolve immediately.
Additional notes
Public IP changes
Snowflake might occasionally update the public IPs associated with SPCS services. Though changes are infrequent, we recommend periodically verifying and updating the IP list to prevent disruptions.
Custom egress rules
If you are using custom egress policies, ensure that checkip.amazonaws.com:443 or an equivalent IP identification service is allowed.
Troubleshooting tip
If errors persist, verify the updated network policy and ensure all relevant public IPs are included. You can also consult the Workbench logs for additional details.