All posts
June 18, 20264 min read

Putting access controls around Cursor: production access for AI coding agents (on Snowflake)

Why unrestricted AI agents are a liability Production access for AI coding agents must be tightly controlled, otherwise a single mis‑interpreted request can expose personally identifiable information, trigger costly compute spikes, or even drop critical tables. In many teams the Cursor agent is granted a static Snowflake user or role that is baked into CI pipelines and shared across dozens of jobs. The credential never changes, audit logs are limited to Snowflake’s generic query history, and th

Free White Paper

Cursor / AI IDE Security + Snowflake Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Why unrestricted AI agents are a liability

Production access for AI coding agents must be tightly controlled, otherwise a single mis‑interpreted request can expose personally identifiable information, trigger costly compute spikes, or even drop critical tables. In many teams the Cursor agent is granted a static Snowflake user or role that is baked into CI pipelines and shared across dozens of jobs. The credential never changes, audit logs are limited to Snowflake’s generic query history, and there is no real‑time visibility into which prompt caused a particular query. When the agent misinterprets a request or a downstream developer inadvertently expands its scope, the result can be a massive export of PII, an accidental table drop, or a spike in warehouse usage that blows the monthly bill.

The missing piece in AI‑driven production access

What the organization really needs is a production access control layer that can enforce just‑in‑time permissions, require human approval for risky statements, mask sensitive columns in query results, and record every interaction for later replay. The ideal solution would sit on the path between the Cursor agent and Snowflake, inspecting each wire‑protocol message before it reaches the database. In the current state, however, the request still travels directly to Snowflake’s endpoint. No gateway intercepts the traffic, no inline guardrails are applied, and Snowflake receives the raw query without any contextual policy enforcement. The result is a gap where compliance, security, and cost‑control expectations are unmet.

How hoop.dev closes the gap

hoop.dev is a Layer 7 gateway that proxies connections to infrastructure services, including Snowflake, and applies policy at the protocol level. When a Cursor agent initiates a connection, the request is routed through hoop.dev’s gateway instead of going straight to Snowflake. Because hoop.dev sits in the data path, it can enforce the missing controls:

  • Just‑in‑time access. hoop.dev checks the identity token presented by the agent against group membership and grants a time‑boxed session only for the requested operation.
  • Approval workflows. If a query matches a high‑risk pattern such as a DROP statement or a SELECT that touches a column marked as containing PII, hoop.dev routes the request to a human approver before forwarding it to Snowflake.
  • Inline data masking. Responses that contain sensitive fields are stripped or redacted by hoop.dev before they reach the agent, preventing accidental exposure in downstream logs or UI displays.
  • Session recording. Every command and its result are captured by hoop.dev, enabling replay for forensic analysis or audit reporting.

All of these outcomes exist only because hoop.dev occupies the gateway position. The identity verification step (OIDC or SAML) happens before the request reaches the data path, but the enforcement actions themselves are performed by hoop.dev, not by Snowflake or by the Cursor agent.

Architectural overview for Cursor on Snowflake

The deployment consists of three logical parts:

Continue reading? Get the full guide.

Cursor / AI IDE Security + Snowflake Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Identity provider. Your organization’s IdP (Okta, Azure AD, Google Workspace, etc.) issues short‑lived tokens that represent a developer or an automated service. hoop.dev is configured as a relying party and validates these tokens on every connection attempt.
  2. hoop.dev gateway. A Docker Compose or Kubernetes deployment runs the gateway close to the Snowflake network. The gateway holds the Snowflake credential, so the Cursor agent never sees it. It intercepts the PostgreSQL‑compatible wire protocol used by Snowflake’s SQL endpoint.
  3. Snowflake target. The actual data warehouse remains unchanged. hoop.dev forwards only the queries that have passed policy checks, and it returns the filtered results to the agent.

This separation ensures that the only component capable of blocking, masking, or approving a query is the gateway itself. Even if an attacker compromises the Cursor runtime, they still cannot bypass hoop.dev because the gateway validates every message on the fly.

Implementing the controls

Start by deploying the hoop.dev gateway using the provided Docker Compose quick‑start. The compose file includes OIDC configuration, a default policy set, and a built‑in agent that runs inside the same network as Snowflake. Once the gateway is running, register Snowflake as a connection in hoop.dev’s catalog, supplying the service account credentials that the gateway will use. Next, define a policy that marks columns containing PII as sensitive and specifies that any SELECT touching those columns must be masked. Add a rule that any DROP, ALTER, or CREATE statement requires manual approval. Finally, enable session recording so every interaction is persisted for audit. All of these steps are described in the official getting‑started guide and the feature documentation. The guide walks you through the necessary YAML configuration, the policy language, and the UI for approving requests. For a deeper dive into policy syntax and best practices, see the learning hub.

Common mistakes to avoid

  • Sharing the Snowflake credential directly with the AI agent. Doing so defeats the purpose of the gateway because the agent can then connect without any interception.
  • Relying solely on Snowflake’s native query logs. Those logs do not capture the context of the requestor’s identity token or any inline masking that may have occurred.
  • Disabling approval workflows for convenience. Approvals are the last line of defense against destructive commands; turning them off re‑introduces the original risk.

By keeping the credential inside hoop.dev, preserving the full audit trail, and maintaining the approval step, you retain the security benefits while still allowing the Cursor agent to be productive.

FAQ

Does hoop.dev store Snowflake credentials?

Yes, the gateway holds the credential in memory and uses it only to forward approved queries. The credential never leaves the gateway process, and the Cursor agent never sees it.

Can I audit who approved a risky query?

hoop.dev records the approver’s identity, the time of approval, and the exact query that was allowed. All of this appears in the session replay logs.

Is inline masking reversible?

Masking is applied before the result leaves the gateway, so the original data never reaches the agent. The masked data is what gets stored in any downstream logs.

Next steps

Review the getting‑started documentation to spin up the gateway, then explore the policy examples in the learn section. When you’re ready to contribute or customize the solution, clone the hoop.dev source repository and follow the contribution guidelines.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot