Configure API-Driven On-Demand Sync for Snowflake Connector¶

Overview¶

API-driven On-Demand Sync enables real-time, targeted policy synchronization in Snowflake by allowing customers to invoke resource synchronization directly through REST API calls. Unlike scheduled sync operations that process all resources periodically, API-driven On-Demand Sync provides programmatic control to trigger immediate synchronization for specific resources when changes occur.

D2P Mode Only

API-driven On-Demand Sync for Snowflake is currently supported only in Data Plane (D2P) deployment mode.

Key Benefits¶

Benefit	Description
Real-Time Updates	Policy changes are applied immediately when API is invoked
Targeted Sync	Synchronizes only the affected resources, not the entire catalog
Reduced Load	Minimizes connector processing overhead by syncing only what's needed
Programmatic Control	Direct API integration allows seamless integration with your applications and workflows
Immediate Response	Get synchronous feedback on sync operation status

How It Works¶

API-driven On-Demand Sync follows this workflow:

API Invocation: External systems or applications make REST API calls to trigger resource synchronization
Request Processing: The API Server receives and validates the sync request
Task Creation: A sync task is created and queued for the Snowflake connector
Resource Sync: The connector processes the task, loads resources (specified in the incoming sync requests) from Snowflake and applies policy changes.
Response: The API returns the task status (SUCCESS, FAILED, or SKIPPED) along with relevant details

Configuration Properties¶

Required Properties¶

Property	Description	Example
CONNECTOR_SNOWFLAKE_API_SERVER_ENABLED	Enable API server for on-demand sync	true
CONNECTOR_SNOWFLAKE_ON_DEMAND_V2_ENABLED	Enable on-demand sync V2	true
CONNECTOR_SNOWFLAKE_EXTERNAL_ACCESS_ENABLED	Enable external access to the API server by deploying ingress	true

Optional Properties¶

Property	Default Value	Description
CONNECTOR_SNOWFLAKE_K8S_NGINX_INGRESS_ENABLE	false	Enable Kubernetes Nginx Ingress for API server access

Setup¶

Data Plane

Step 1: Edit Connector Configuration¶

SSH to the instance where Privacera is installed and edit your connector configuration file:

Bash
cd ~/privacera/privacera-manager/config
vi custom-vars/connectors/snowflake/instance1/vars.connector.snowflake.yml

Step 2: Add API-Driven On-Demand Sync Configuration¶

Add the following configuration to your connector YAML file:

YAML
# Enable API Server for On-Demand Sync
CONNECTOR_SNOWFLAKE_API_SERVER_ENABLED: "true"

# Enable On-Demand Sync V2
CONNECTOR_SNOWFLAKE_ON_DEMAND_V2_ENABLED: "true"

# Enable External Access
CONNECTOR_SNOWFLAKE_EXTERNAL_ACCESS_ENABLED: "true"

# Optional: Kubernetes Nginx Ingress (default: false)
CONNECTOR_SNOWFLAKE_K8S_NGINX_INGRESS_ENABLE: "false"

Step 3: Deploy Configuration¶

Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup

Step 2 - Apply the Privacera Manager helm charts.

Bash
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade

Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

API Usage¶

Retrieve Host¶

The host is generated during post-install. After running ./privacera-manager.sh post-install, a service-urls.txt file is generated in the output directory. To retrieve the host, follow these steps:

SSH to the instance where Privacera is installed and navigate to the Privacera Manager directory:
Bash
1
cd ~/privacera/privacera-manager
Read the host URL from the service-urls.txt file:
Bash
1
cat output/service-urls.txt
For the required connector instance, copy the external URL from the output to use in the API endpoint URL.

Endpoint¶

The REST API endpoint for triggering on-demand sync:

Text Only
1	`POST https://<host>/policysync/api/v1/task`

Replace <host> with your connector API server hostname (retrieved using the method described in the Retrieve Host section above).

Authentication¶

The API requires JWT token authentication. To retrieve the JWT token, follow these steps:

SSH to the instance where Privacera is installed and navigate to the Privacera Manager directory:
Bash
1
cd ~/privacera/privacera-manager
Read the JWT token from the file (replace <instance-name> with your connector instance name, e.g., instance1):
Bash
1
cat config/api-server-keys/connector/snowflake/<instance-name>/jwt/jwt-token.txt
Copy the JWT token from the output to use in the Authorization header.

Request Headers¶

Header	Required	Description
Content-Type	Yes	`application/json`
Authorization	Yes	JWT token from the jwt-token.txt file

Request Payload Structure¶

To trigger an on-demand sync, send a JSON payload with the following structure:

Sample Request Payload¶

JSON
{
    "type": "RESOURCE_SYNC",
    "requestInfo": {
        "resources": [
            {
                "type": "table",
                "values": {
                    "database": "AP_PS_OMNI_PROD_DB",
                    "schema": "TEST_SCHEMA1",
                    "table": "TEST_DATA3"
                }
            }
        ]
    }
}

Payload Field Descriptions¶

Field	Type	Required	Description
type	String	Yes	Task type. Use "RESOURCE_SYNC" for resource synchronization
requestInfo.resources	Array	Yes	List of resources to sync
requestInfo.resources[].type	String	Yes	Resource type: "database", "schema", "table", "view", "column"
requestInfo.resources[].values	Object	Yes	Resource identifiers (database, schema, table, column)

Resource Types and Values¶

Database:

JSON
{
  "type": "database",
  "values": {
    "database": "SALES_DB"
  }
}

Schema:

JSON
{
  "type": "schema",
  "values": {
    "database": "SALES_DB",
    "schema": "PUBLIC"
  }
}

Table:

JSON
{
  "type": "table",
  "values": {
    "database": "SALES_DB",
    "schema": "PUBLIC",
    "table": "CUSTOMERS"
  }
}

Column:

JSON
{
  "type": "column",
  "values": {
    "database": "SALES_DB",
    "schema": "PUBLIC",
    "table": "CUSTOMERS",
    "column": "EMAIL"
  }
}

Multiple Resources Example¶

JSON
{
    "type": "RESOURCE_SYNC",
    "requestInfo": {
        "resources": [
            {
                "type": "database",
                "values": {
                    "database": "HR_DB"
                }
            },
            {
                "type": "schema",
                "values": {
                    "database": "HR_DB",
                    "schema": "EMPLOYEE_DATA"
                }
            },
            {
                "type": "table",
                "values": {
                    "database": "HR_DB",
                    "schema": "EMPLOYEE_DATA",
                    "table": "EMPLOYEES"
                }
            }
        ]
    }
}

Retrieve Task Status¶

To check the status of a sync task, use the GET endpoint with the task ID returned from the POST API call:

Text Only
1	`GET https://<host>/policysync/api/v1/tasks/<taskId>`

The response will include the current status of the task:

JSON
{
    "taskId": "574057046565109672",
    "status": "SUCCESS",
    "message": "Sync completed successfully"
}

Task Status¶

After processing, each sync task will have one of the following statuses:

Status	Description
NEW	Task has been created but not yet started
WAITING	Task is waiting to be processed
INPROGRESS	Sync task is currently being processed
SUCCESS	Sync completed successfully
FAILED	Sync failed due to an error
SKIPPED	Task skipped (e.g., invalid request or unsupported resource type)

Prev topic: Advanced Configuration
Next topic: Troubleshooting