Snowflake App Runtime privileges¶

Snowflake App Runtime introduces privileges on two new schema-level objects: the artifact repository and the Application Service. This topic summarizes the privileges and typical grant patterns.

Artifact repository privileges¶

Privilege	Effect
USAGE	Resolve the repository name.
READ	Read package and version metadata. Required to reference the repository from CREATE APPLICATION SERVICE and from `ALTER APPLICATION SERVICE ... UPGRADE`.
WRITE	Produce new package versions. Required by build workflows driven by `snow app deploy`.
OWNERSHIP	Full control. Required for `ALTER` and `DROP` on the repository.

Application Service privileges¶

Privilege	Effect
USAGE	Access public endpoints exposed by the service.
MONITOR	View runtime status and read container logs with SYSTEM$GET_APPLICATION_SERVICE_LOGS.
OPERATE	`ALTER APPLICATION SERVICE` (`SUSPEND`, `RESUME`, `UPGRADE`, `SET`, `UNSET`).
OWNERSHIP	`DROP` the service. The owning role also implicitly has every other privilege on the service.

Privileges required to create an Application Service¶

The role that runs CREATE APPLICATION SERVICE needs, at minimum:

CREATE APPLICATION SERVICE on the target schema.
READ on the artifact repository.
USAGE on the compute pool, if you specify IN COMPUTE POOL.
USAGE on each external access integration listed.
USAGE on the query warehouse, if you set QUERY_WAREHOUSE.

For full syntax and access control details, see CREATE APPLICATION SERVICE.

Privileges required to deploy with the CLI¶

To deploy an app end-to-end with snow app deploy, the deploying role needs all of the following:

USAGE on the target database and schema.
CREATE APPLICATION SERVICE on the target schema.
CREATE STAGE on the target schema (for the per-app code stage).
USAGE on the query warehouse.
USAGE on the build and service compute pools.
USAGE on the external access integration used during builds.
READ and WRITE on the image repository (for pushing and pulling built images).
READ and WRITE on the artifact repository (created automatically if it doesn’t exist, but the role needs these privileges to produce and reference packages).

Example grant statements:

-- Database and schema
GRANT USAGE ON DATABASE apps_db TO ROLE app_deployer;
GRANT USAGE ON SCHEMA apps_db.public TO ROLE app_deployer;
GRANT CREATE APPLICATION SERVICE ON SCHEMA apps_db.public TO ROLE app_deployer;
GRANT CREATE STAGE ON SCHEMA apps_db.public TO ROLE app_deployer;

-- Compute and networking
GRANT USAGE ON WAREHOUSE app_wh TO ROLE app_deployer;
GRANT USAGE ON COMPUTE POOL app_compute_pool TO ROLE app_deployer;
GRANT USAGE ON INTEGRATION build_eai TO ROLE app_deployer;

-- Image and artifact repositories
GRANT READ, WRITE ON IMAGE REPOSITORY apps_db.public.image_repo TO ROLE app_deployer;
GRANT READ, WRITE ON ARTIFACT REPOSITORY apps_db.public.app_repo TO ROLE app_deployer;

Your account administrator typically configures these grants as part of the Snowflake App Runtime infrastructure setup in Snowsight (/settings/account/apps).

Snowflake App Runtime privileges¶

Artifact repository privileges¶

Application Service privileges¶

Privileges required to create an Application Service¶

Privileges required to deploy with the CLI¶

See also¶