All posts
September 10, 20251 min read

Secure and Fast Queries with pgcli and Snowflake Data Masking

The query was slow, so I ran it in pgcli. The results came back fast, formatted, and easy to read. But this time, the data wasn’t raw. Sensitive fields were masked before they even hit my terminal. That’s the power of combining pgcli with Snowflake Data Masking. For teams working across datasets with both public and private information, controlling who sees what is not optional. Snowflake’s Dynamic Data Masking lets you define masking policies directly in your database. Columns like email, phon

Free White Paper

Data Masking (Static) + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The query was slow, so I ran it in pgcli. The results came back fast, formatted, and easy to read. But this time, the data wasn’t raw. Sensitive fields were masked before they even hit my terminal. That’s the power of combining pgcli with Snowflake Data Masking.

For teams working across datasets with both public and private information, controlling who sees what is not optional. Snowflake’s Dynamic Data Masking lets you define masking policies directly in your database. Columns like email, phone, or credit card can be automatically obfuscated based on a user’s role, making it impossible for unauthorized users to see sensitive details.

Pgcli, the command-line client for PostgreSQL with autocompletion and syntax highlighting, is already loved for speed and clarity. When your Snowflake instance is exposed through the Postgres-compatible interface, pgcli can become your secure window into production data. This is where the workflow clicks: lightning-fast queries with masked data enforcement.

Setting it up is straightforward. First, create masking policies in Snowflake:

Continue reading? Get the full guide.

Data Masking (Static) + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
CREATE MASKING POLICY mask_email AS (val STRING) RETURNS STRING ->
 CASE
 WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE') THEN val
 ELSE CONCAT('***', RIGHT(val, 7))
 END;

Then apply it to the target column:

ALTER TABLE users 
MODIFY COLUMN email 
SET MASKING POLICY mask_email;

Now, whether you connect from pgcli, a BI tool, or an ETL job, the masking rules apply consistently. No more relying on front-end filters or hoping every script obeys a manual rule. The database enforces the policy.

When you query masked columns through pgcli, the output is instantly usable and secure. You still benefit from pgcli’s smart autocompletion, syntax coloring, and table formatting. But the sensitive data only reveals itself to those with the right role. This reduces risk, simplifies compliance, and removes the need for duplicated masking logic in application code.

For engineering teams, this means faster debugging, safer analysis, and fewer data leaks. For managers, it means governance you can trust at the source.

You can see this working in minutes. Visit hoop.dev, connect your Snowflake instance, and run secure, masked queries from your browser with zero install. The combination of pgcli workflows, Snowflake Data Masking, and instant hoop.dev hosting gets you from setup to secure output faster than ever.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts