Announcing Icebreaker: Open Source Reverse Proxy for SPCS

Snowpark Container Services (SPCS) on the Snowflake AI Data Cloud is a great platform for running any containerized apps inside of your Snowflake account. You can specify an image to run (custom or open source), configure resource utilization on the underlying compute pool, and more. Better yet, it's optimized for Snowflake and allows you to use your account's existing RBAC.

Where things get tricky, however, is when you need to access a service from outside of Snowflake (e.g., from a website) or where OAuth token retrieval is not tenable.

To address this, we're open-sourcing icebreaker on Github: an image that uses an nginx reverse proxy to connect public internet requests to an SPCS public endpoint using OAuth. This allows you to simplify request routing to your SPCS service all while keeping a layer of security between the internet and your Snowflake account (there's always a service user and role that must be active).

Why we built this

At Winning Variant, we have customers utilizing our Experimentation Native App inside of their Snowflake accounts that need to streamline access to the Variant API running inside of the app. We wanted to build a solution that preserved the security built into SPCS all while simplifying connections for the end clients. We determined the best way to do this was to continue to use Snowflake OAuth and wrap it with an nginx reverse proxy that end clients can connect to.

Simple, yet flexible

The icebreaker project is designed to be simple and universal, but can be easily customized for those organizations that need it. Simply fork the project and alter the nginx or Docker configuration as needed! The image can be deployed almost anywhere, though we recommend running it in the same region as your Snowflake account.

Disclaimer

This project is not affiliated with nor endorsed by Snowflake. "Snowflake", "Snowpark Container Services", and other related terms are trademarks of Snowflake, Inc.