Skip to content

Snowflake role privileges with Matillion ETL

Overview

Snowflake access control works by giving "roles" sets of "privileges" on certain objects (databases, schema, tables, and so on).

For example, CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by Matillion ETL, can then create tables—a core function in Matillion ETL. The ALL privilege gives a role every relevant available privilege on an object.

To connect Matillion ETL to your Snowflake account, the Snowflake role must have certain privileges enabled. Some examples are listed below.

Matillion recommends using a custom Snowflake role created specifically for Matillion ETL, rather than a role such as PUBLIC.

Read GRANT … TO ROLE to learn how to grant privileges to a role.


Snowflake role privileges

Below is a table of role privileges required for optimal use of Matillion ETL. Omitting privileges may come at the cost of features within Matillion ETL.

Privilege Object Description
ALL Table Grants all privileges, except OWNERSHIP, on a table.
ALL External Table Grants all privileges, except OWNERSHIP, on an external table.
ALL View Grants all privileges, except OWNERSHIP, on a View.
ALL Schema Grants all privileges, except OWNERSHIP, on a schema.
ALL Stage Creation and general use of Snowflake stages.

The next sections of this page offer some examples of how to grant these privileges.


Warehouse

Grant Usage on warehouse:

GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Grant Operate on warehouse:

GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Database

Grant Usage on database:

GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;

Schema

Grant All on schema:

GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;

Table

Grant delete on tables in schema:

GRANT DELETE ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;