On Snowflake, does accepting the Anaconda terms pose additional security risk?

Question

On a Snowflake server, I have the permissions that enable reading and writing data using snowpark Python.

However, I cannot import Anaconda packages, and the error message indicates that Anaconda terms must be accepted.

The person that has the ORGADMIN role has not yet accepted the terms for Anaconda. Someone on the team in charge of this indicated to me that in order for me to use Anaconda packages, I will have to be granted powerful permissions (a security risk) that I currently do not have.

I think they have misunderstood what additional permissions and power I need or will get, and that we won't be in a security situation that is much different than the current arrangement.

Are my instincts wrong? If they are, can someone help me to understand?

If my instincts are correct, an explanation that might resonate with that team would be helpful.

Answer 1

There are various layers to this question:

• Snowflake provides these packages in partnership with Anaconda to provide Snowflake users a secure and convenient way of bringing Python packages into enterprise workloads - as Anaconda takes care of curating these. This is way more secure than giving people access to use random pip packages.

With a new native integration, Snowpark for Python users can now seamlessly access one of the most popular ecosystems of Python open-source libraries, without the need for manual installs and package dependency management. Snowpark for Python users’ access to Anaconda’s curated repository of data science and machine learning packages doesn’t require any additional contracts, costs (outside of normal warehouse usage) or Anaconda accounts to manage. https://www.anaconda.com/partners/snowflake

• However, your ORGADMIN will need to accept the External Offerings Terms:

Before you start using the packages provided by Anaconda inside Snowflake, you must acknowledge the External Offerings Terms. https://docs.snowflake.com/en/developer-guide/udf/python/udf-python-packages#getting-started

• In terms of costs related to this, the Snowflake docs explicitly say:

For convenience, a number of popular open source third-party Python packages that are built and provided by Anaconda are made available to use out of the box inside Snowflake virtual warehouses. There is no additional cost for such use of the Anaconda packages apart from Snowflake’s standard consumption-based pricing -- https://docs.snowflake.com/en/developer-guide/udf/python/udf-python-packages#getting-started

In special cases your ORGADMIN might have thoughts like "I only want to give my users access to certain packages", or "I want to give them access to everything, except ...". These situations are not usual, but to cover these needs Snowflake recently added a Packages Policies feature for your admin to make these decisions:

• Using a packages policy enables you to set allowlists and blocklists for third-party Python packages from Anaconda at the account level. This lets you meet stricter auditing and security requirements and gives you more fine-grained control over which packages are available or blocked in your environment. https://docs.snowflake.com/en/developer-guide/udf/python/packages-policy

Check the growing number of packages on the Snowflake conda channel:

• https://repo.anaconda.com/pkgs/snowflake/