top of page

Protegrity With Snowflake

Author: Sirisha Kodukula


To understand Protegrity we need to have a clear understanding of external tokenization. External Tokenization: it tokenizes data before loading it into Snowflake and de-tokenizes the data at query runtime. It is actually a process of removing sensitive data by replacing it with an undecipherable token. External Tokenization makes use of masking policies with external functions. Protegrity helps to protect the most sensitive data in the workplace. The data gets tokenized when the Ptotegrity is applied to the aws s3, when we try to use the data we can detokenize it, this way the data is being super protective.


1. Implementation Demo

2. Outcome

3. Conclusion

4. References

Using Protegrity step by step process

1. Login to AWS account and search for PROTEGRITY and click on the below shown icon.

2. No click on the cloud protect icon box.

3. Follow the steps shown in the picture below and click continue.

4. Create the account by filling in the details asked for.

5. Now log in to the account created.

6. Click on start the setup for Protegrity.

7. Enter account details and create security policy.

8. Choose snowflake as target platform.

9. Follow the steps.

Copy paste the code in snowflake.Now provide for the asked details.

10. Follow the steps shown below. for IAM in AWS services and go to ROLES then trust policy.

12. Protegrity setup is done.

You can use the “setup platform” option to set up the link for new snowflake accounts.


1. Create a masking policy for role accountadmin so that user with roles other than ACCOUNT ADMIN can notice that the details of masked columns are tokenized.


grant role <role_name> TO user <user_name>;

grant usage on database <db_name> to role <role_name>;

grant usage on schema <schema_name> to role <role_name>;

grant select on table <table_name> to role <role_name>;

grant usage on warehouse <wh_name> to role <role_name>

grant usage on warehouse <wh_name> to role <role_name>

-----create masking policy-----

create or replace masking policy mask_login_passwd as (val string) returns string ->


when current_role() in ('<role_name>') then val

else protect_alphanum (val)


alter table <table_name> modify column <column_name> set masking policy mask_login_passwd;

The account admin role case the original data of column.

2. Using sysadmin —---tokenized data.

3. Using ML role—------------data is tokenized.

4. Using DEV_DATA_ER role —--data is tokenized.


Using the Protegrity we have build a use case where only the masking policies are applied to the account admin role and the original data is visible for the particular column. Whereas other roles such as, ML role, DEV_DATA_ER role, SYSADMIN role are unable to see the original data because it is protected by Protegrity.


41 views0 comments

Recent Posts

See All
bottom of page