Snowflake role privileges with Matillion ETL
Overview
Snowflake access control works by giving "roles" sets of "privileges" on certain objects (databases, schema, tables, and so on).
For example, CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by Matillion ETL, can then create tables—a core function in Matillion ETL. The ALL privilege gives a role every relevant available privilege on an object.
To connect Matillion ETL to your Snowflake account, the Snowflake role must have certain privileges enabled. Some examples are listed below.
Matillion recommends using a custom Snowflake role created specifically for Matillion ETL, rather than a role such as PUBLIC.
Read GRANT
Snowflake role privileges
Below is a table of role privileges required for optimal use of Matillion ETL. Omitting privileges may come at the cost of features within Matillion ETL.
| Privilege | Object | Description |
|---|---|---|
| ALL | Table | Grants all privileges, except OWNERSHIP, on a table. |
| ALL | External Table | Grants all privileges, except OWNERSHIP, on an external table. |
| ALL | View | Grants all privileges, except OWNERSHIP, on a View. |
| ALL | Schema | Grants all privileges, except OWNERSHIP, on a schema. |
| ALL | Stage | Creation and general use of Snowflake stages. |
The next sections of this page offer some examples of how to grant these privileges.
Warehouse
Grant Usage on warehouse:
GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Grant Operate on warehouse:
GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Database
Grant Usage on database:
GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;
Schema
Grant All on schema:
GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;
Table
Grant delete on tables in schema:
GRANT DELETE ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;