The internals of cloud storage access
In Figure 4.1 and Figure 4.2, we discussed the execution model of a query. In the preceding section on user-facing table access control, we learned how table access control enables user-facing table access control.
This leaves us with one more authorization layer to discuss – the cloud storage access that’s given to SQL Warehouses.
Unity Catalog Consideration
If you are using Unity Catalog, or exclusively using managed tables, this section is not relevant. This is because with managed tables, the catalog stores the data in a location dedicated for its use. Further, with Unity Catalog, the query engine is provided signed, short-lived, pre-signed URLs to the relevant data files, even if the tables are unmanaged. This contrasts with Hive Metastore, where the SQL Warehouses use the relevant cloud authorization mechanism – instance profile, service principal, or service account – to access the relevant data files...