All posts
June 18, 20264 min read

MCP gateways: what they mean for your least privilege (on Snowflake)

Why least privilege is not automatic with MCP gateways Many assume that simply routing Snowflake traffic through an MCP gateway automatically enforces least privilege. In reality the gateway merely forwards the request; the Snowflake account still receives the original service‑account credentials and can execute any query that those credentials allow. Teams often create a single Snowflake user for an entire application team, embed its password in CI pipelines, and rely on the gateway to keep th

Free White Paper

Least Privilege Principle + On-Call Engineer Privileges: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Why least privilege is not automatic with MCP gateways

Many assume that simply routing Snowflake traffic through an MCP gateway automatically enforces least privilege. In reality the gateway merely forwards the request; the Snowflake account still receives the original service‑account credentials and can execute any query that those credentials allow. Teams often create a single Snowflake user for an entire application team, embed its password in CI pipelines, and rely on the gateway to keep the secret safe. The result is a broad, standing permission set that no longer reflects the principle of least privilege.

Because the gateway does not inspect or limit the SQL statements, a developer who only needs read‑only access can still run DDL or export large data sets. Auditors cannot tell who ran which command, and any breach of the CI secret instantly grants full Snowflake access to every downstream job. The current state is uncomfortable but common: static credentials, shared accounts, and no visibility into individual queries.

The missing enforcement layer

Least privilege requires that the decision to allow a specific operation be made at the moment the request is made, based on the requester’s identity and the exact command. This means the enforcement point must sit between the client and Snowflake, where it can see the full protocol, evaluate policies, and either allow, mask, or block the request. Without such a data‑path control, the only thing you have is the initial identity check performed by the IdP, which tells you *who* can start a session but not *what* they do once the connection is open.

In the ideal model, the setup phase (OIDC or SAML federation, role assignment, and service‑account provisioning) decides who may request access. The gateway, positioned in the data path, is the sole place where policy enforcement can happen. Only when the gateway actively inspects each query can you guarantee that the principle of least privilege is upheld for every Snowflake operation.

hoop.dev as the data‑path gateway for MCP

hoop.dev sits in the data path between the client and Snowflake. It authenticates users via OIDC or SAML, reads group membership, and then proxies the Snowflake connection. Because the gateway is the only point that sees the full SQL payload, it can enforce least privilege in real time.

When a request arrives, hoop.dev checks the user’s identity (the setup stage) and then applies policy rules to the exact statement. If the policy permits a SELECT on a specific schema, hoop.dev allows it; if the statement tries to DROP a table, the gateway blocks it before it reaches Snowflake. The enforcement outcomes, command‑level audit, inline masking of sensitive columns, just‑in‑time approval for risky queries, and session recording for replay, exist only because hoop.dev is positioned in the data path.

Because the gateway holds the Snowflake credential, the client never sees it. This satisfies the “the agent never sees the credential” guarantee and eliminates the risk of credential leakage from CI pipelines. All activity is logged with the user’s identity, providing a complete audit trail that satisfies internal compliance checks.

Continue reading? Get the full guide.

Least Privilege Principle + On-Call Engineer Privileges: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For teams that want to start quickly, the getting started guide walks through deploying the gateway, configuring OIDC, and registering a Snowflake connection. The learn page explains how to define policy rules for query‑level control, masking, and approval workflows.

Expressing least‑privilege policies in hoop.dev

Policies are declarative rules that map identities or groups to allowed SQL verbs, objects, and columns. A typical rule might state that the "analytics" group may run SELECT on the "public" schema but may not issue INSERT, UPDATE, or DELETE. Another rule could require any ALTER TABLE statement to be routed to a human approver before execution. Because the rules are evaluated by the gateway, they apply uniformly regardless of the client tool, whether a data scientist uses SnowSQL, a notebook library, or an automated ETL job.

These policies are stored centrally in hoop.dev’s configuration store, not on the Snowflake side. That central store makes it easy to audit, version, and roll back changes. When a new team member joins, you simply add them to the appropriate group in your IdP; the gateway automatically picks up the new membership on the next login and enforces the existing rules without any Snowflake changes.

Operational impact and best practices

Deploying hoop.dev introduces a single, observable boundary for all Snowflake traffic. This simplifies incident response: you can replay a session to see exactly which statement was run, by whom, and whether it was approved. It also reduces blast radius because a compromised service account can only issue commands that pass the gateway’s policy checks.

Best practices include:

  • Start with a deny‑by‑default rule set and gradually open permissions as you verify business needs.
  • Use just‑in‑time approvals for high‑risk operations such as data exports or schema changes.
  • Enable inline masking for columns that contain PII so that even authorized users only see redacted values unless a higher‑level approval is granted.
  • Regularly review session logs to detect patterns of privilege creep.

These practices turn the abstract principle of least privilege into an enforceable, observable control that lives where the data actually flows.

FAQ

Does hoop.dev replace Snowflake’s own role‑based access control?No. hoop.dev complements Snowflake RBAC by adding a second enforcement layer that works on each query, ensuring that even privileged roles cannot exceed the least‑privilege policies you define at the gateway.Can existing Snowflake users continue to connect without changes?Yes. Users can still use their familiar clients (psql, SnowSQL, etc.). The only change is that the connection endpoint points to hoop.dev, which then forwards the request after applying policy checks.How are policy changes propagated to active sessions?hoop.dev checks policies at the start of each statement. If you modify a rule, the next statement issued in an existing session will be evaluated against the updated policy, providing near‑real‑time enforcement.

Explore the source code, contribute improvements, and see how the community builds on this model at the GitHub repository.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot