Request global privileges from consumers

This topic describes how providers can configure a Snowflake Native App to request global privileges from a consumer after the consumer install the app. These privileges allow the Snowflake Native App to perform tasks in the consumer account, for example creating a warehouse or a database.

If an app needs to perform actions or create objects outside the context of the Snowflake Native App, the consumer must grant the privileges to allow the application to do so.

Workflow for requesting global privileges from the consumer

The following workflow outlines the steps to configure a Snowflake Native App to request global privileges.

Note

Refer to Create a user interface to request privileges and references for information on creating a user interface that allows consumers to grant privileges using Snowsight.

To request global privileges, a provider performs the following when developing and publishing a Snowflake Native App:

  1. Determine the privileges required by the app.

    For example, if an app needs to create a database in the consumer account, the provider must request that the consumer grant the CREATE DATABASE global privilege to the application.

    Refer to Privileges the provider can request from the consumer for details on the global privileges an app can request.

  2. Add the required privileges to the manifest.yml file. See Add a privilege request to the manifest file for details.

After installing the Snowflake Native App, the consumer performs the following:

  1. Review the global privileges required by the application. See View the privileges requested by a Snowflake Native App for more information.

  2. Grant the global privileges on the application. See Grant privileges to an application for more information.

Privileges the provider can request from the consumer

The Snowflake Native App Framework allows providers to request the following global privileges in the consumer account:

  • EXECUTE TASK

  • EXECUTE MANAGED TASK

  • CREATE WAREHOUSE

  • MANAGE WAREHOUSES

  • CREATE DATABASE

  • READ SESSION

A provider can also request that the consumer grant IMPORTED PRIVILEGES on the SNOWFLAKE database to the application. Consumers can only grant this privilege using SQL commands. See Grant privileges to an application for details. This privilege cannot be granted using Snowsight.

Note

Granting IMPORTED PRIVILEGES allows the Snowflake Native App to see information about usage and costs associated with the consumer account. You should ensure that consumers are aware of this when publishing your Snowflake Native App.

Add a privilege request to the manifest file

The following example shows how to add the EXECUTE TASK privilege to the manifest.yml file:

privileges:
  - EXECUTE TASK:
    description: "Privilege to run tasks within the consumer account"
Copy

A provider can add any of the supported privileges in the same manner.

View the privileges requested by a Snowflake Native App

When a provider specifies a privilege in the manifest.yml file, the privilege requests are included as part of the installed Snowflake Native App. The consumer can view the privilege requests after installing the app.

To view the global privileges required by an app, run the SHOW PRIVILEGES command as shown in the following example:

SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Copy

Grant privileges to an application

After determining the privileges required by a Snowflake Native App, the consumer must then grant these privileges to the app.

To grant the global privilege request in the example above, the consumer runs the GRANT <privileges> command as shown in the following example:

GRANT CREATE DATABASE ON ACCOUNT TO APPLICATION hello_snowflake_app;
Copy

To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;
Copy