All posts
June 18, 20264 min read

Non-human identity for autonomous agents on Snowflake

When autonomous agents query Snowflake with a non-human identity, every row they touch is recorded, masked, and approved in real time, creating a tamper‑evident audit trail for auditors. The challenge is that a non‑human identity alone does not stop an agent from issuing unrestricted commands, leaking sensitive fields, or bypassing human review. To protect data while still enabling automation, organizations need a control point that can see each request, enforce masking rules, require just‑in‑ti

Free White Paper

Non-Human Identity Management + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When autonomous agents query Snowflake with a non-human identity, every row they touch is recorded, masked, and approved in real time, creating a tamper‑evident audit trail for auditors. The challenge is that a non‑human identity alone does not stop an agent from issuing unrestricted commands, leaking sensitive fields, or bypassing human review. To protect data while still enabling automation, organizations need a control point that can see each request, enforce masking rules, require just‑in‑time approvals, and capture a replayable session log. By placing that control point on the data path, the policy engine can make decisions based on the agent’s identity and the content of the query before the request ever reaches Snowflake.

Current practice: shared credentials and blind access

Most organizations grant their AI‑driven workloads a single Snowflake user name and password, stored in a secret manager or embedded in code. The same credential is reused across dozens of pipelines, batch jobs, and experimental notebooks. Because the credential is human‑oriented, it carries the same permissions as a developer, often with broad read and write rights. The result is a noisy audit surface: every agent request appears as if a person performed it, and the underlying logs contain no indication of which automated process issued the command. Moreover, no inline data masking occurs, so sensitive columns flow back to downstream services unchecked.

Why non‑human identity is only part of the solution

Introducing a service account or a dedicated Snowflake role for each autonomous agent solves the credential‑sharing problem. The agent now authenticates with a non‑human identity that can be scoped to the exact tables and warehouses it needs. However, the connection still goes straight to Snowflake. Without a control point on the traffic path, the following gaps remain:

  • Snowflake itself records the query, but the log does not capture the policy checks that should have run before execution.
  • There is no mechanism to mask personally identifiable information (PII) or payment card data before it reaches the downstream consumer.
  • Requests that touch high‑risk objects cannot be routed for human approval, so a rogue or mis‑configured agent can still cause damage.
  • Replay of a session for forensic analysis is impossible because the raw traffic never leaves the Snowflake audit log.

In short, non‑human identity establishes who is acting, but it does not enforce what they are allowed to do.

hoop.dev as the data‑path enforcement layer

hoop.dev sits between the agent and Snowflake as a Layer 7 gateway. Every Snowflake request from an autonomous process is proxied through the gateway, where hoop.dev applies policy before the query reaches the database. Because the gateway is the only point that can see the traffic, it can enforce the following outcomes:

  • Session recording. hoop.dev captures the full request and response stream, storing a replayable artifact that auditors can review independent of Snowflake’s native logs.
  • Inline data masking. Sensitive fields identified by policy are redacted in the response before they leave the gateway, ensuring downstream services never see raw PII or PCI data.
  • Just‑in‑time approval. Queries that match a high‑risk pattern are paused and routed to an approver; the agent proceeds only after explicit consent.
  • Command‑level blocking. Dangerous DDL or data‑exfiltration commands are filtered out, preventing accidental or malicious schema changes.

All of these controls are driven by the non‑human identity presented in the OIDC token. hoop.dev reads the token, maps the service account to a Snowflake role, and then evaluates the request against the policy attached to that role. These outcomes are tied to the non‑human identity presented by the agent.

Architectural steps to enable non‑human identity with hoop.dev

1. Deploy the gateway. Use the Docker Compose quick‑start or a Kubernetes manifest to run hoop.dev inside the same network as Snowflake. The deployment includes an OIDC verifier that trusts your identity provider.

Continue reading? Get the full guide.

Non-Human Identity Management + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

2. Register the Snowflake connection. In the hoop.dev UI, define a Snowflake target and supply the credential that the gateway will use as the session principal. The credential is stored only inside the gateway; agents never see it.

3. Create a service account for each autonomous workload. In your IdP, issue a client‑credentials flow that returns a JWT containing a unique subject for the agent. Assign the JWT to a Snowflake role that grants just the required warehouse and database permissions.

4. Define policies. In the hoop.dev policy editor, specify which queries require masking, which need approval, and which are outright blocked. Policies can reference the non‑human identity to apply different rules per agent.

5. Connect through the gateway. Agents use their standard Snowflake client libraries (for example, the Python connector) but point the endpoint to the hoop.dev address. The gateway transparently proxies the traffic, enforcing the policies defined earlier.

When the flow is complete, every autonomous Snowflake interaction is bound to a non‑human identity, audited, masked, and optionally approved, all without changing the agent’s code.

Getting started

For a step‑by‑step walkthrough, see the getting‑started guide. The documentation explains how to configure OIDC, register Snowflake as a target, and author policies for masking and approval. The full source code, including the gateway implementation, is available on GitHub.

Learn more about policy capabilities

The learn section provides deeper insight into inline masking, session replay, and just‑in‑time approval workflows. It also covers best practices for scoping non‑human identities in Snowflake.

FAQ

Q: Do I need to modify my existing Snowflake queries?
A: No. Agents continue to use the same client libraries and SQL statements. The only change is the endpoint address, which points to the hoop.dev gateway.

Q: How does hoop.dev ensure that the gateway itself cannot be bypassed?
A: Because the gateway is the sole network path to Snowflake for the registered service accounts, any attempt to connect directly would be rejected by the network firewall or by Snowflake’s access policies, which only trust the gateway’s session principal.

Q: Is the masking performed on the Snowflake side?
A: No. hoop.dev intercepts the response stream and redacts configured fields before the data leaves the gateway, keeping the raw values inside Snowflake and out of downstream systems.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot