Security

Advanced

Ingress traffic

The Workbench Native App runs in Snowpark Container Services (SPCS) and is accessible via a secured subdomain provided by Snowflake, such as https://<prefix>.snowflakecomputing.com or https://<prefix>.privatelink.snowflakecomputing.com. SPCS ingress manages access to Workbench. All standard Snowflake authentication methods, including organizational SSO requirements, apply. For details on ingress, see Ingress: Using a Service from outside Snowflake.

For details on granting specific roles ingress access, see Grant access to Posit Workbench.

Egress traffic

By default, the Workbench Native App configures network rules to allow open egress traffic.

To restrict egress, refer to changing the egress policy. The Workbench application itself only connects to Snowflake for the following purposes:

  • OAuth authentication flow

  • Database ODBC driver calls

  • Online Certificate Status Protocol (OCSP) certificate validation

However, users can make arbitrary external requests, so administrators are advised to restrict egress where appropriate.

Default egress policy

The Native App’s default egress policy includes these endpoints. Optional ones can be removed:

Endpoint Required Description
<organization>-<account>.snowflakecomputing.com:443 Yes For Snowflake OAuth and ODBC queries
ocsp.snowflakecomputing.com:80 Yes For Snowflake certificate validation
ocsp.digicert.com:80 Yes For Snowflake certificate validation
open-vsx.org:443, openvsxorg.blob.core.windows.net:443 Optional To download VS Code and Positron extensions
p3m.dev:443, rspm-sync.rstudio.com:443 Optional For downloading PyPi, R, and Bioconductor packages from Posit-managed mirror
0.0.0.0:443, 0.0.0.0:80 Optional Allows open egress; required for Snowflake VS Code Extension functionality

You can determine your Snowflake account’s endpoint using this SQL query:

Snowsight UI
SELECT REPLACE(LOWER(CURRENT_ORGANIZATION_NAME()), '_', '-') || '-' || REPLACE(LOWER(CURRENT_ACCOUNT_NAME()), '_', '-') || '.snowflakecomputing.com';

You can verify the generated URL by visiting it in your browser; it should redirect to your Snowflake account where the Workbench Native App is hosted.

For further details, see Snowflake Network Rules.

Root access in the Workbench Native App

The Workbench Native App prohibits root access. No user, including administrators, has sudo access. This ensures:

  • System reliability
  • User data isolation (no access to other users’ files)
  • Protection of managed OAuth credentials
Back to top