Snowflake role privileges
Snowflake access control works by giving roles sets of privileges on certain objects (databases, schema, tables, and so on).
CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by the Data Productivity Cloud, can then create tables. The
ALL privilege gives a role every relevant available privilege on an object.
Matillion recommends using a custom Snowflake role created specifically for the Data Productivity Cloud, rather than a role such as
Below is a table of role privileges required for optimal use of the Data Productivity Cloud. Omitting privileges may come at the cost of features within the Data Productivity Cloud.
|ALL||Table||Grants all privileges, except OWNERSHIP, on a table.|
|ALL||External Table||Grants all privileges, except OWNERSHIP, on an external table.|
|ALL||View||Grants all privileges, except OWNERSHIP, on a view.|
|ALL||Schema||Grants all privileges, except OWNERSHIP, on a schema.|
|ALL||Stage||Creation and general use of Snowflake stages.|
The following sections offer some examples of how to grant these privileges.
Grant Usage on warehouse:
GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Grant Operate on warehouse:
GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Grant Usage on database:
GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;
Grant All on schema:
GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;
Grant delete on tables in schema:
GRANT DELETE ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;
The Data Productivity Cloud supports the following Snowflake authentication methods:
Multi-Factor Authentication connections aren't supported. We advise customers to set up a Snowflake Service Account User for use with Data Productivity Cloud projects.