The architecture of the AtScale Snowflake Native app leverages both Snowpark Container Services and ngrok in order to achieve connectivity over HTTP and TCP for AtScale. Because of this, there are additional security components that will need to be taken into account if you are using Network Policies in your Snowflake account to manage access.
Both of these services leverage a dynamic and changing set of IP addresses which will need to be addressed in order to allow initial and ongoing connectivity. To do so, you should leverage a Programatic Access Token (PAT) for your account which is connecting to Snowflake from AtScale and a custom Authentication Policy that allows PAT access to bypass the network rules.
You can create an authentication policy that reduces or removes the network policy requirement for programmatic access tokens. Execute the following command to allow programmatic access tokens without requiring a network policy:
CREATE AUTHENTICATION POLICY bypass_pat_network_policy
PAT_POLICY=(
NETWORK_POLICY_EVALUATION = NOT_ENFORCED
);
Then apply this policy to your service accounts OR the entire account. This approach maintains security while accommodating authentication using PAT and dynamic IP addresses.
This will make it so the user does not need to be subject to a network policy to generate and use programmatic access tokens.
If the user is subject to a network policy, the network policy is not enforced during authentication.