Skip to content

Snowflake role privileges

Snowflake access control works by giving roles sets of privileges on certain objects (databases, schema, tables, and so on).

For example, CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by the Data Productivity Cloud, can then create tables. The ALL privilege gives a role every relevant available privilege on an object.

To connect your Snowflake account to the Data Productivity Cloud, the Snowflake role must have certain privileges enabled. Some examples are listed below.

Matillion recommends using a custom Snowflake role created specifically for the Data Productivity Cloud, rather than a role such as PUBLIC.

Read GRANT … TO ROLE to learn how to grant privileges to a role.


Required roles

Below is a table of role privileges required for optimal use of the Data Productivity Cloud. Omitting privileges may come at the cost of features within the Data Productivity Cloud.

Privilege Object Description
ALL Table Grants all privileges, except OWNERSHIP, on a table.
ALL External Table Grants all privileges, except OWNERSHIP, on an external table.
ALL View Grants all privileges, except OWNERSHIP, on a view.
ALL Schema Grants all privileges, except OWNERSHIP, on a schema.
ALL Stage Creation and general use of Snowflake stages.

The following sections offer some examples of how to grant these privileges.

Warehouse

Grant Usage on warehouse:

GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Grant Operate on warehouse:

GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Database

Grant Usage on database:

GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;

Schema

Grant All on schema:

GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;

Table

Grant delete on tables in schema:

GRANT DELETE ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;

Authentication methods

The Data Productivity Cloud currently supports the username/password and key-pair authentication methods for Snowflake.

If using key-pair authentication, read Using Snowflake key-pair authentication to learn how to configure the necessary secrets for this method.

Multi-Factor Authentication connections aren't supported. We advise that customers set up a Snowflake Service Account User for use with Data Productivity Cloud projects.