Kevin Keller

Senior Architect & Field CTO

Strategy, architecture, security, AI, and code.

Sometimes hands-on with Snowflake, PostgreSQL, DuckDB, Python, and Rust.

Personal GitHub | Snowflake GitHub

Playgrounds Chat with the Blog's AI Agent Chat runs entirely in your browser — no data sent anywhere.

Latest

All articles →

2026-04-03 Site-to-Site VPN with SoftEther -- Connecting On-Premise, AWS, and Azure Networks
2026-04-03 Snowflake Container Services Deep Dive — Security, Networking, and Tunneling
2026-04-02 SSH Tunnels from Snowflake Container Services — Bidirectional Access to Your DMZ, Home Lab, or PC
2026-03-31 Beyond RBAC — Why AI Agents Need Purpose-Aware Access Control
2026-03-30 DuckLake on Hetzner with Pixi — A Governed Data Lake for Under 10 Euros a Month
2026-03-30 Snowflake Managed MCP Servers Support External OAuth — Here's How
2026-03-28 TurboQuant — What 6x Vector Compression Means for AI Agents
2026-03-28 A Layered Architecture for Python and Conda Supply Chain Security
2026-03-27 Zettelkasten Memory for AI Agents — Semantic Knowledge Graphs That Grow With Every Conversation
2026-03-27 Federal Zero Trust Architecture Blueprint — Snowflake as the AI + Data Control Plane

Strategic Whitepapers

Beyond RBAC — Why AI Agents Need Purpose-Aware Access Control

31 March 2026·3737 words·18 mins

AI & AI Agents Abac Ai-Agents Security Policy-Engine Mcp Zero-Trust Governance

RBAC tells you if a role can access a table. But can this agent invoke this tool on this data for this purpose? The industry is building the pieces — Cedar, Proofpoint, Cisco, Immuta — but the unified policy engine that evaluates all attributes across all layers doesn’t exist yet.

Building the Agentic Enterprise: From Protocol Hype to Production-Grade AI Agents

19 March 2026·3523 words·17 mins

AI Agents Ai-Agents Agentic-Ai Mcp Enterprise-Ai Strategy Ai-Governance Production

The agentic enterprise is real. But getting there requires a shift from generic protocol-based integrations to purpose-built agents with native tooling, embedded security, and domain-specific intelligence.

Governing AI Inference in the Data Cloud: A Security Architecture Guide for EMEA Enterprises

17 March 2026·5914 words·28 mins

AI Agents Security & Encryption Ai-Governance Security Snowflake Eu-Ai-Act Dora Nis2 Mcp Compliance

A defense-in-depth security architecture for AI agents and inference workloads — covering network isolation, identity propagation, authorization, data protection, and auditing under the EU AI Act, DORA, and NIS2.

Architectural Blueprints

Federal Zero Trust Architecture Blueprint — Snowflake as the AI + Data Control Plane

27 March 2026·3171 words·15 mins

Security & Governance Zero-Trust Snowflake Fedramp Nist Security Architecture Governance Cortex Ai

Snowflake provides a unified Zero Trust control plane for both data and AI inference. This blueprint maps Snowflake and Cortex to NIST 800-207, CISA’s Zero Trust Maturity Model, and OMB M-22-09 — one governance layer, one policy stack, no shadow AI.

AI Agents

Cortex Proxy: Route Any AI Coding Agent Through Snowflake Cortex, OpenAI, Anthropic, or Ollama — With Prompt Policy Enforcement

18 March 2026·2380 words·12 mins

AI Agents Snowflake Cortex Rust Proxy Ai-Agents Claude-Code Security Policy-Enforcement

A high-performance Rust proxy that lets Claude Code, Continue.dev, ZeroClaw, Mistral Vibe — or any AI coding agent — use Snowflake Cortex, OpenAI, Anthropic, or Ollama as their backend. Optional prompt policy enforcement included.

Nanocortex: A Blueprint for Building Custom Snowflake Cortex Agents

16 March 2026·4391 words·21 mins

AI Agents Snowflake Cortex Agents Python Llm

How a 1,600-line Python file can teach you everything about the Cortex Agent API

Authentication

Snowflake Managed MCP Servers Support External OAuth — Here's How

30 March 2026·1115 words·6 mins

Authentication Snowflake Mcp Oauth Authentication Security Jwt Ai-Agents

Snowflake’s managed MCP servers work with external OAuth tokens — JWT-signed, role-scoped, and RBAC-enforced. Tested end-to-end with tool discovery and SQL execution.

How JWT Tokens Actually Work — And How Snowflake Uses Them

20 March 2026·1758 words·9 mins

Authentication Jwt Authentication Security Oauth Snowflake Learning

A visual, hands-on explanation of JSON Web Tokens — what they contain, how signing works, why they expire, and how Snowflake uses them for External OAuth authentication.

Code Blueprints

Snowflake Container Services Deep Dive — Security, Networking, and Tunneling

3 April 2026·6746 words·32 mins

Security & Encryption Snowflake Container-Services Security Kubernetes Networking Encryption Governance Spcs Tunneling

A comprehensive deep dive into Snowflake Container Services — security architecture, compute isolation, ingress/egress controls, PAT authentication, CORS, private connectivity, and tunneling approaches (SSH, WebSocket, Tailscale, ngrok) to connect SPCS to your own infrastructure.

SSH Tunnels from Snowflake Container Services — Bidirectional Access to Your DMZ, Home Lab, or PC

2 April 2026·3651 words·18 mins

Networking Snowflake Container-Services Ssh Tunnel Dmz Autossh Nginx Reverse-Proxy Networking

How to establish persistent, bidirectional SSH tunnels from Snowflake Container Services to any machine you control — using base64-encoded keys in Snowflake Secrets, autossh for resilience, reverse port forwards, and nginx to expose SPCS services with SSL on your own domain.

Snowflake Managed MCP Servers Support External OAuth — Here's How

30 March 2026·1115 words·6 mins

Authentication Snowflake Mcp Oauth Authentication Security Jwt Ai-Agents

Snowflake’s managed MCP servers work with external OAuth tokens — JWT-signed, role-scoped, and RBAC-enforced. Tested end-to-end with tool discovery and SQL execution.

Security Operations AI Skill: Turn Snowflake into a Cybersecurity Data Lake

23 March 2026·2503 words·12 mins

Security & Encryption Snowflake Security Siem Cybersecurity Mitre-Attack Owasp Nist Ai-Agents Threat-Detection Skills

An open-source AI skill that teaches any coding agent to build threat detection pipelines, hunt anomalies, and automate incident response in Snowflake — with OWASP, MITRE ATT&CK, and NIST CSF built in.

Nanocortex: A Blueprint for Building Custom Snowflake Cortex Agents

16 March 2026·4391 words·21 mins

AI Agents Snowflake Cortex Agents Python Llm

How a 1,600-line Python file can teach you everything about the Cortex Agent API

Data Sovereignty

Data Sovereignty First: Integrating an On-Premise Apache Iceberg into Snowflake Through a Direct Outbound Tunnel

16 March 2026·2842 words·14 mins

Data Sovereignty Data-Sovereignty Snowflake Iceberg Duckdb Privacy Compliance

Some data cannot move to the cloud. Here’s how to bring Snowflake’s analytics power to the data — without surrendering control of it.

Query Your On-Premise DataLake Through a Private Tunnel with Snowflake

10 December 2024·3457 words·17 mins

Data Sovereignty Snowflake Hybrid-Cloud Ssh Iceberg Duckdb Spark Spcs Data-Sovereignty

Hybrid Cloud Architecture Series with Snowflake Part 1 — How to setup an SSH tunnel from Snowflake Container Services to query on-premise Iceberg data lakes, databases, APIs, or AI models behind your firewall.

Infrastructure

SPCS Dev Container: A Full Linux IDE Running Inside Snowflake

14 March 2026·1083 words·6 mins

Infrastructure Snowflake Spcs Containers Devcontainer Vscode Development Cloud-Ide

Turn Snowflake Container Services into your personal cloud development environment — VS Code in the browser, web terminal, persistent storage, and direct Snowflake access.

Running Apache NiFi on Snowflake Container Services

13 March 2026·1253 words·6 mins

Infrastructure Snowflake Spcs Nifi Data-Ingestion Containers Jdbc Oauth Cdc

A patched, ready-to-deploy Apache NiFi 2.6.0 on SPCS — with fixes for ingress compatibility, a token debug UI, and a sample PostgreSQL-to-Snowflake CDC flow.

Networking

SSH Tunnels from Snowflake Container Services — Bidirectional Access to Your DMZ, Home Lab, or PC

2 April 2026·3651 words·18 mins

Networking Snowflake Container-Services Ssh Tunnel Dmz Autossh Nginx Reverse-Proxy Networking

Observability

Ingest OpenTelemetry Logs, Traces and Metrics Directly into Snowflake

9 November 2024·3091 words·15 mins

Observability Opentelemetry Snowflake Observability Iceberg Siem Apm

Build your next generation security and observability Iceberg data lake by ingesting OpenTelemetry data directly into Snowflake

How to Let Snowflake Raise Security Incidents in Your SIEM or XDR Automatically

25 July 2024·2728 words·13 mins

Observability Snowflake Siem Xdr Security Splunk Sentinel Automation

A step-by-step guide to having Snowflake automatically detect failed login attempts and raise incidents in your SIEM or XDR — no external code required.

Security & Encryption

Snowflake Container Services Deep Dive — Security, Networking, and Tunneling

3 April 2026·6746 words·32 mins

Security & Encryption Snowflake Container-Services Security Kubernetes Networking Encryption Governance Spcs Tunneling

AES-CBC Column-Level Encryption in Snowflake: Four Key Management Strategies

26 March 2026·1586 words·8 mins

Security & Encryption Snowflake Encryption Aes Kms Aws Azure Security Masking-Policies Postgres Pgcrypto

Four sample methods for managing encryption keys in Snowflake — from session variables to cloud KMS to HYOK key wrapping — ensuring sensitive data is protected with keys you control. Postgres pgcrypto compatible.

Federated Queries Between Snowflake Accounts Using Service Accounts and OAuth

23 March 2026·2326 words·11 mins

Security & Encryption Snowflake Oauth Jwt Cross-Account Sql-Api Security Entra-Id Gcp Service-Accounts

How to execute SQL across Snowflake accounts using the SQL API with OAuth — covering Client Credentials (Entra ID), Self-Signed JWT (GCP), PAT, and Key-Pair authentication with full architecture diagrams and code.

Snowflake Native Webhook Notifications for SIEM: Splunk and Microsoft Sentinel

23 March 2026·2820 words·14 mins

Security & Encryption Snowflake Siem Splunk Sentinel Webhook Security Observability Oauth

How to send security alerts from Snowflake directly to your SIEM using native webhook notification integrations — with working examples for Splunk HEC and Microsoft Sentinel, plus a hybrid approach for dynamic OAuth tokens.

Security Operations AI Skill: Turn Snowflake into a Cybersecurity Data Lake

23 March 2026·2503 words·12 mins

Security & Encryption Snowflake Security Siem Cybersecurity Mitre-Attack Owasp Nist Ai-Agents Threat-Detection Skills

Splunk + Snowflake: Building a Hybrid Security Data Lake with Federated Queries

23 March 2026·3677 words·18 mins

Security & Encryption Snowflake Splunk Siem Security Data-Lake Federated-Queries Cost-Optimization Cybersecurity

A better-together reference architecture combining Splunk’s real-time detection with Snowflake’s cost-effective data lake — federated search via DB Connect, 70-80% cost optimization, and years of historical retention.

Snowflake OAuth & PAT Toolkit: JWT-to-PAT Exchange for MCP Authentication

15 March 2026·2194 words·11 mins

Security & Encryption Snowflake Oauth Pat Mcp Authentication Security Jwt Python

The core challenge of AI agents: passing the human user’s identity through to Snowflake. This toolkit demonstrates JWT-to-PAT token exchange so agents execute as the actual user — with their roles, permissions, and full audit trail.

Column-Level Encryption for Snowflake Using Postgres as an On-Premise Crypto Proxy

20 December 2024·1786 words·9 mins

Security & Encryption Snowflake Encryption Postgres Security Data-Sovereignty Aes Compliance

How to use Postgres 17 as a transparent encryption proxy so that data stored in Snowflake is always AES-256 encrypted at the column level — with your own key, under your own control.

Decrypting PGP Files Inside Snowflake: Zero-Infrastructure MFT Ingestion

14 December 2024·2910 words·14 mins

Security & Encryption Snowflake Pgp Gpg Encryption Mft Python-Udf Data-Ingestion Security

How to decrypt PGP/GPG-encrypted files directly inside Snowflake using Python UDFs and the pgpy library — no external compute, no middleware, no key in transit.

Python Camouflage: Format-Preserving Encryption for Snowflake Using FF3-1

15 November 2024·1742 words·9 mins

Security & Encryption Snowflake Encryption Tokenization Fpe Ff3 Python-Udf Masking-Policy Compliance Data-Sovereignty

Tokenize PII in Snowflake so that encrypted data still looks and behaves like real data — joinable, sortable, format-correct — all with your own AES-256 key, enforced through tag-based masking policies.

Snowflake-related articles explore the art of the possible and are not official Snowflake solutions or endorsed by Snowflake unless explicitly stated. Opinions are my own. Content is meant as educational inspiration, not production guidance.

↑

Kevin Keller

Senior Architect & Field CTO

Latest

Strategic Whitepapers

Architectural Blueprints

AI Agents

Authentication

Code Blueprints

Data Sovereignty

Infrastructure

Networking

Observability

Security & Encryption

AI & AI Agents

AI Agents

Code Blueprints

Data Engineering

Networking

Personal Open Source

Security & Encryption

Security & Governance

Supply Chain