Skip to main content

Security model

chukei sits in the connection path, so its trust boundary matters. The design goal is that adopting chukei adds no new credential surface: client auth is validated end-to-end by Snowflake exactly as before, secrets are never written down, and chukei runs inside your network. This page describes the boundary; for the objection-by-objection version with measured numbers, see is a proxy in front of Snowflake safe?.

The trust boundary

┌──────────────── your VPC / network ─────────────┐
│ driver (holds credentials)                      │
│    │                                            │
│    │  auth: password / key-pair JWT / PAT / SSO │
│    v                                            │
│ chukei process                                  │
│    - terminates TLS                             │
│    - holds the session token in MEMORY ONLY     │
│    - x never writes credentials to disk         │
│    - x never writes credentials to logs         │
└───────────────────────┬─────────────────────────┘
                        │  verbatim auth forward
                        v
┌─────────────────────────────────────────┐
│ Snowflake  -  validates the auth itself │
└─────────────────────────────────────────┘

What chukei does and does not hold

CredentialHandling
Client login (password / key-pair JWT / PAT / SSO)passthrough — validated end-to-end by Snowflake; chukei does not evaluate it
Snowflake session tokenheld in memory only, re-keyed on Snowflake's ~4-hour rotation; never persisted, never logged
Optional suspend service accountthe only credential chukei stores; scoped to OPERATE on the warehouses you list — nothing else

The test suite enforces the no-leak rule with a trace-level credential-leak audit: even at the most verbose log level, no credential material appears in output.

TLS

chukei terminates the driver's TLS connection (to read the gzipped query-request body) and opens its own TLS connection upstream to *.snowflakecomputing.com. Certificate and TLS configuration for the listener are covered in deployment. Because the driver performs OCSP checks, the JDBC ocspFailOpen note in the JDBC example applies.

Network and data residency

You run chukei in your own VPC. No SQL text and no result data ever leave your network for a vendor — there is no chukei cloud service in the data path. The conservative pilot profile persists no result data at rest. This is the structural difference from SaaS cost tools that ingest your QUERY_HISTORY or proxy results through their cloud.

Suspend enforcement: suggest vs enforce

By default the suspend plugin is suggest-only — it emits metrics and spans but never touches Snowflake state, so it needs no service account at all. Only enforce mode uses the scoped service account above to actually suspend idle warehouses. See the warehouse management guide for the operational trade-off.