SOC 2 for non-human identities: governing machine access end to end (on Snowflake)

Machine accounts with static keys are a silent data breach waiting to happen. Most engineering teams grant those accounts blanket privileges on Snowflake, embed credentials in CI pipelines, and never revisit the permissions. When a compromised token lands in a public repository, the attacker can query, export, or even drop entire warehouses without any trace in the organization’s logs. The result is a compliance blind spot that SOC 2 auditors will flag under logical access controls and change‑management criteria.

In practice, a non‑human identity is created once, assigned a role that spans multiple databases, and then stored in a secret manager or hard‑coded in deployment manifests. The service connects directly to Snowflake using that credential, bypasses any runtime gate, and the Snowflake engine processes the request as if a human had issued it. There is no central point where the request can be inspected, approved, or recorded before it reaches the data plane.

This state satisfies the “setup” requirement for SOC 2: an identity exists, it is authenticated, and it is authorized to talk to Snowflake. What remains missing is a controllable data path that can enforce policy, capture evidence, and provide the audit trail required by the standard. Without that, the organization cannot demonstrate who ran which query, whether sensitive columns were exposed, or if a privileged command was performed under proper oversight.

How hoop.dev creates a SOC 2‑compliant data path for machine access

hoop.dev sits between the service account and Snowflake, acting as an identity‑aware proxy that inspects every wire‑level request. Because the gateway is the only place the traffic passes, hoop.dev can enforce the controls that SOC 2 expects from a logical access control system.

• Audit logging. hoop.dev records each query, the calling identity, timestamps, and outcome. The logs are immutable outside the gateway process, giving auditors a complete trail for the CC6.1 logical access control requirement.
• Just‑in‑time approval. For high‑risk operations such as CREATE, ALTER, or DROP, hoop.dev pauses the request and routes it to an approver. Only after explicit consent does the command reach Snowflake, satisfying SOC 2 change‑management controls (CC8.1).
• Inline data masking. When a query returns columns that contain personally identifiable information, hoop.dev masks those fields in real time. This reduces exposure of sensitive data and aligns with the privacy‑related criteria of SOC 2.
• Command blocking. hoop.dev can reject dangerous statements (e.g., UNLOAD to external storage) before they are executed, preventing accidental data exfiltration.
• Session recording and replay. Every interaction is captured as a replayable session. Auditors can reconstruct the exact sequence of commands, meeting evidence‑collection expectations for both access reviews and incident investigations.

All of these outcomes are possible only because hoop.dev occupies the data path. The underlying identity provider (OIDC, SAML, etc.) determines who may start a session, but without hoop.dev the request would travel straight to Snowflake, bypassing every safeguard.

Mapping SOC 2 criteria to hoop.dev capabilities

• CC6.1 – Logical access controls. hoop.dev enforces least‑privilege policies at the gateway level and logs every access attempt.

• CC6.2 – Periodic user access reviews. The audit logs generated by hoop.dev provide a ready‑made source for review, showing which non‑human identities accessed which objects and when.

• CC7.1 – Risk assessment. By masking sensitive fields and blocking risky commands, hoop.dev reduces the risk profile of machine‑initiated activity.

• CC8.1 – Change management. The just‑in‑time approval workflow forces a documented, authorized decision before any schema‑altering operation is performed.

These mappings illustrate that hoop.dev does not replace Snowflake’s native role‑based access control; instead, it augments it with a control plane that satisfies the evidence‑generation expectations of SOC 2.

Implementing hoop.dev for Snowflake machine accounts

The implementation begins with an OIDC or SAML identity provider that issues tokens for service accounts. hoop.dev validates those tokens, extracts group membership, and maps the groups to Snowflake roles defined in the gateway configuration. The Snowflake credential itself is stored inside hoop.dev, so the service never sees the password or key. Once the gateway is deployed, any client that uses the standard Snowflake driver can point to hoop.dev’s endpoint and operate as usual, while hoop.dev silently applies the controls described above.

For detailed steps on deploying the gateway, configuring Snowflake as a target, and enabling masking and approval policies, see the getting‑started guide and the learn section of the documentation.

FAQ

Does hoop.dev rotate Snowflake credentials automatically?

Credential rotation is handled outside the gateway. hoop.dev stores the current secret and will use a new one when you update the configuration. The rotation process itself is performed by your secret‑management pipeline.

Will hoop.dev interfere with Snowflake’s native role hierarchy?

No. hoop.dev forwards the request after it has verified the caller’s identity and applied any additional policies. Snowflake continues to enforce its own role‑based permissions on the query.

What audit data does hoop.dev retain for SOC 2 evidence?

Each session record includes the caller identity, timestamp, full query text, result status, and any masking or approval actions taken. This data can be exported to a SIEM or retained in a secure log store for the period required by your audit policy.

Ready to see how the open‑source project works in practice? Explore the code on GitHub and start building a SOC 2‑ready machine‑access pipeline today.