使用应用程序规范来请求外部访问集成 (EAIs)¶

This topic describes how to configure a Snowflake Native App to use app specifications to request access to an external access integration (EAI) in the consumer account. An EAI allows an app to connect to an endpoint that is external to Snowflake.

从应用程序访问外部端点¶

To access an external endpoint, an app must create a network rule and an EAI, which uses network rules to restrict access to specific external network locations. Network rules define the external endpoints that an app can access.

To configure an app to use an EAI, follow these steps:

To request privileges from the consumer to create an EAI, use automated granting of privileges.
Add an EAI to an app.
使用应用程序规范向使用者请求权限，以连接到外部端点。

备注

A single app specification applies to all of the EAIs created by the app. Providers can create multiple app specifications for an app; however, this is not required.

App specification workflow for an EAI¶

Providers configure automated granting of privileges for the app. This allows consumers to give permission to an app to create the EAI.

备注

App specifications require that manifest_version: 2 be set in the manifest file.
提供商将 CREATE EXTERNAL ACCESS INTEGRATION 权限添加到清单文件中。
Providers add SQL statements to the setup script to create the following objects:
The setup script creates the app specification and other objects when the app is installed or upgraded or at runtime.
When configuring the app, consumers review and approve the host ports and external services. For more information on how consumers view and approve app specifications, see 使用应用程序规范批准与外部资源的连接.

App specification definition for an EAI¶

The app specification definition for an EAI contains the following entries:

HOST_PORTS：应用程序所需的网络规则中定义的主机端口列表。
PRIVATE_HOST_PORTS：选择使用时默认使用的角色和仓库。允许与 Snowflake 外部资源建立专用连接的专用主机端口列表。

备注

这些值必须与应用程序在创建网络规则时使用的值匹配。

设置清单文件的版本¶

要启用应用程序权限的自动授予，请在清单文件的开头设置版本，如以下示例所示：

manifest_version: 2

Copy

将 CREATE EXTERNAL ACCESS INTEGRATION 权限添加到清单文件¶

The CREATE EXTERNAL ACCESS INTEGRATION privilege allows the app to create an external access integration during installation or upgrade.

To configure an app to request the CREATE EXTERNAL ACCESS INTEGRATION privilege, add the following code to the privileges section of the manifest file:

manifest_version: 2
...
privileges:
  - CREATE EXTERNAL ACCESS INTEGRATION:
      description: "Allows the app to create an EAI to connect to an external service."
...

Copy

If you set the manifest_version to 2 in the manifest file, Snowflake automatically grants the CREATE EXTERNAL ACCESS INTEGRATION privilege to the app during installation or upgrade.

Add a network rule and an EAI to the setup script¶

EAIs are the Snowflake objects that enable access to specific external network locations and contain a list of network rules that specify the external locations that an app can access.

要为应用程序创建网络规则，请将 CREATE NETWORK RULE 命令添加到安装脚本中，如下例所示：

CREATE OR REPLACE NETWORK RULE setup.my_network_rule
TYPE = HOST_PORT
VALUE_LIST = ( 'example.com' )
MODE = EGRESS;

Copy

The HOST_PORT and VALUE_LIST properties indicate that the network rule must point to a valid domain, port, or range of ports. When an app is installed or upgraded, consumers grant permission for the app to use these domains or ports.

Create an EAI¶

To create an EAI for an app, add the CREATE EXTERNAL ACCESS INTEGRATION command to the setup script, as shown in the following example:

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION my_app_prefix_eai_rule
  ALLOWED_NETWORK_RULES = (setup.my_network_rule)
  ENABLED = TRUE;

Copy

备注

This command creates an EAI in the consumer account. However, it is not usable until the consumer approves the app specifications that allow external access to the requested host ports.

有关更多信息，请参阅使用应用程序规范批准与外部资源的连接。

Creating a user-defined function to access the external endpoint¶

After the EAI is created, the setup script can create user-defined functions and stored procedures that use it to connect to the endpoints defined in the network rule.

The following example shows a user-defined function that uses the my_app_prefix_eai_rule EAI:

CREATE OR REPLACE FUNCTION setup.EXTERNAL_ACCESS_UDF(hostname STRING)
  RETURNS STRING
  LANGUAGE JAVA
  HANDLER='TestHostNameLookup.compute'
  EXTERNAL_ACCESS_INTEGRATIONS = (my_app_prefix_eai_rule)
  AS
  '
      import java.net.InetAddress;
      import java.net.UnknownHostException;
      class TestHostNameLookup {{
          public static String compute(String hostname) throws Exception {{
              InetAddress addr = null;
              try {
                  addr = InetAddress.getByName(hostname);
              } catch(UnknownHostException ex) {
                  return "Hostname lookup failed";
              }
              return "Hostname lookup successful";
          }
      }
';
GRANT USAGE ON FUNCTION setup.EXTERNAL_ACCESS_UDF(STRING)
  TO APPLICATION ROLE app_public;

Copy

This function sets the value of the EXTERNAL_ACCESS_INTEGRATIONS to the EAI created previously.

This function uses the InetAddress Java package to look up the hostname passed to the procedure. The hostname provided must match one of the values provided in the VALUE_LIST property of the network rules used by the EAI.

Creating an app specification for an EAI¶

The following example shows how to create an app specification for an EAI:

ALTER APPLICATION SET SPECIFICATION eai_app_spec
  TYPE = EXTERNAL_ACCESS
  LABEL = 'Connection to an external API'
  DESCRIPTION = 'Access an API that exists outside Snowflake'
  HOST_PORTS = ('example.com')

Copy

This command creates an app specification named eai_app_spec.

在使用者账户中批准应用程序规范¶

After the provider configures the app to create the network rule, EAI, and app specification, consumers can view the app specification and approve or decline it as appropriate when configuring the app. For more information, see 使用应用程序规范批准与外部资源的连接.