Skip to content

Roles and permissions

This article provides an outline of various roles, permissions, and authentication methods for managing resources and access control in cloud environments for use with the Data Productivity Cloud.

Always follow the principle of least privilege and assign only the minimum permissions required for the specific task.

AWS permissions

This section details permissions related to AWS services like CloudFormation, S3 buckets, IAM roles, ECS (Amazon Elastic Container Service), and agent deployment.

S3 permissions

Users must have appropriate permissions defined in their IAM policies to access S3 buckets from Data Productivity Cloud components.

AWS Permission Description
s3:GetObject Grants the ability to get objects from an S3 bucket.
s3:ListBucket Permits listing objects within an S3 bucket.
s3:PutObject Allows to upload (put) an object into an S3 bucket.
s3:DeleteObject Grants permission to delete an object from an S3 bucket.
s3:GetBucketLocation Permits to retrieve the location of an S3 bucket.
s3:ListAllMyBuckets Allows listing buckets. Omitting this does not necessarily cause pipeline errors (although may cause validation errors), but it's essential to verify the specific requirements for each use case.

Redshift permissions

This section outlines the steps to manage users, databases, and schemas within the Redshift cluster for Data Productivity Cloud. It covers user creation, modification of user access, database creation, modification of database ownership, and schema creation.

Action Description Syntax
User creation
Create User Create a user with a password. CREATE USER new_user PASSWORD 'your_password';
Modify User Access Grant unrestricted syslog access to the specified user. ALTER USER new_user SYSLOG ACCESS UNRESTRICTED;
Database and schema management
Create Database Create a new database with the specified name. CREATE DATABASE new_database;
Modify Database Ownership Change the owner of the specified database to a new user. ALTER DATABASE new_database OWNER TO new_owner;
Create Schema Create a new schema within the specified database and assign ownership to a user. CREATE SCHEMA new_schema AUTHORIZATION new_owner;

IAM roles

Users configuring their AWS resources for use with the Data Productivity Cloud are likely to require permission to create IAM Roles.

AWS Permission Description
iam:CreateRole Allows the creation of IAM roles.
iam:AttachRolePolicy Enables attaching policies to an IAM role.
iam:PassRole Necessary if the CloudFormation stack involves passing an IAM role to an AWS service.

Agent deployment permissions

Users deploying an agent in the Data Productivity Cloud will require the following permission types:


  • AmazonECS_FullAccess
  • CloudWatchFullAccess
  • SecretsManagerReadWrite
  • IAMFullAccess
  • AmazonS3FullAccess


AWS policy Action
IAM iam:AddRoleToInstanceProfile, iam:PutRolePolicy, iam:PassRole, iam:GetRolePolicy, iam:CreateInstanceProfile, iam:DeleteInstanceProfile, iam:RemoveRoleFromInstanceProfile, iam:DetachRolePolicy, iam:AttachRolePolicy, iam:DeleteRolePolicy, iam:GetRole, iam:CreateRole, iam:DeleteRole, iam:TagPolicy, iam:UntagRole, iam:TagRole, iam:UntagPolicy, iam:UpdateRole, iam:UntagInstanceProfile, iam:TagInstanceProfile.
EC2 ec2:ReplaceIamInstanceProfileAssociation, ec2:AuthorizeSecurityGroupEgress, ec2:AuthorizeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress, ec2:RevokeSecurityGroupIngress, ec2:DescribeSecurityGroups, ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:UpdateSecurityGroupRuleDescriptionsIngress, ec2:UpdateSecurityGroupRuleDescriptionsEgress, ec2:CreateTags, ec2:ModifySecurityGroupRules, ec2:DisassociateIamInstanceProfile, ec2:DeleteTags, ec2:CreateSecurityGroup, ec2:AssociateIamInstanceProfile, ec2:DeleteSecurityGroup.
Logging logs:PutRetentionPolicy, logs:CreateLogStream, logs:TagLogGroup, logs:TagResource, logs:CreateLogGroup, logs:DeleteLogStream, logs:UntagLogGroup, logs:DeleteLogGroup, logs:UntagResource.
ECS secretsmanager:DeleteSecret, secretsmanager:UpdateSecretVersionStage, secretsmanager:TagResource, secretsmanager:UntagResource, secretsmanager:CreateSecret, secretsmanager:UpdateSecret, ecs:UpdateCluster, ecs:DescribeServices, ecs:DescribeTasks, ecs:DescribeClusters, ecs:UpdateContainerInstancesState, ecs:StartTask, ecs:CreateCapacityProvider, ecs:UpdateService, ecs:RegisterTaskDefinition, ecs:StopTask, ecs:DeregisterContainerInstance, ecs:DeleteTaskDefinitions, ecs:TagResource, ecs:UpdateClusterSettings, ecs:CreateCluster, ecs:DeleteService, ecs:DeleteCluster, ecs:RegisterContainerInstance, ecs:DeleteCapacityProvider, ecs:DeregisterTaskDefinition, ecs:CreateService, ecs:RunTask, ecs:UntagResource, ecs:PutClusterCapacityProviders, ecs:UpdateCapacityProvider, ecs:UpdateContainerAgent.

You can refer to the IAM roles documentation for more detailed information on task roles and task execution roles.

AWS service-linked roles

  • AWSServiceRoleForECS: This role is required to allow the deployment of an ECS (Amazon Elastic Container Service) agent in AWS. The ECS agent is often used within the Data Productivity Cloud ecosystem for managing containerized workloads and orchestrating tasks.

Other service permissions

Below are permissions generally required for specific AWS services:

AWS Permission Description
cloudformation:CreateStack Allows the creation of CloudFormation stacks.
rds:DescribeDBInstances Required for the RDS Query component to display available RDS instances.

Azure permissions

The Azure Blob permissions section provides guidance on managing access to Azure Blob Storage, which is crucial for controlling data access and ensuring security within Azure environments. Here's a brief overview of the key points covered in this section.

Granular control with SAS or Azure Roles helps ensure data security.

Authorization methods

Shared Access Signature (SAS): - Grants temporary access to specific blobs or containers without exposing account keys. - Allows defining specific read, write, or list permissions with start and expiry times.

Azure roles: - Assign built-in or custom roles based on the Azure Role-Based Access Control (RBAC) system. - Grants access to specific containers, blobs, or entire storage accounts.

Azure blob storage

The below are recommended permissions for accessing Azure Blob Storage with the Data Productivity Cloud.

Permission Type Description
Shared Access Signature (SAS)
Blob Reader Allows reading blob data.
Blob Contributor Enables reading, writing, and deleting blob data.
Blob Container Reader Grants read access to all blobs within a container.
Blob Container Contributor Provides permissions to manage all blobs within a container.
Azure roles
Storage Blob Data Reader Allows reading blob data.
Storage Blob Data Contributor Enables reading, writing, and deleting blob data.
Storage Account Contributor Gives access to manage all resources within a storage account, including blobs, containers, and account settings.
Azure blob integration permissions
Queue Storage Permissions To interact with Azure Queue Storage, consider permissions like queue:PeekMessages, queue:DequeueMessages, and queue:SendMessage for secure message handling.
Data Lake Storage Permissions To integrate with Azure Data Lake Storage, permissions such as Data Lake Storage Blob Data Owner and Data Lake Storage Blob Data Contributor may be relevant for data access and management.


Your Snowflake environment in the Data Productivity Cloud uses your role name to identify you. This role name will have certain privileges associated with it in Snowflake that you can adjust accordingly.

For ease of use and ensuring full functionality, we recommend granting all privileges to the role being used and tying that role only to schemas for use with the Data Productivity Cloud.


Your role name must be enclosed by double quotes if it contains a space.

Roles and privileges

Action Syntax
Role creation
Creating a Custom Role CREATE ROLE "Data_Productivity_Cloud_role";
Or, if the role name has spaces CREATE ROLE "Data_Productivity_Cloud role";
Granting privileges
Granting Usage on Warehouse GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Granting Usage on Database GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;
Granting All Privileges on Schema GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;
Granting All Privileges on Tables in Schema GRANT ALL ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;
Granting All Privileges on Future Tables in Schema GRANT ALL ON FUTURE TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;
Granting Specific Privilege on Future Tables GRANT <privilege> ON FUTURE TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;
Defining role hierarchy
Assigning Roles GRANT Data <role-name> TO USER <username>;
Revoking privileges
Revoking Privileges REVOKE <privilege> ON ALL TABLES IN SCHEMA <schema-name> FROM ROLE <role-name>;

Authentication methods

  • Users can authenticate using their Snowflake username and password.
  • Users can authenticate using a keypair generated for their Snowflake account.
  • Multi-factor authentication connections are not supported for Data Productivity Cloud projects. It's advisable to use dedicated Snowflake Service Account Users for Data Productivity Cloud projects.