Snowflake App Runtime privileges¶
Snowflake App Runtime adds the Application Service object for running deployed apps. The managed build service packages your app and deploys the service; you don’t provision packaging infrastructure yourself.
We recommend
account administrator setup
so snow app setup and snow app deploy use shared account defaults. Until an
administrator completes setup, deploys go to a
personal database, which you can’t share with
other roles.
This topic covers Application Service privileges and what deploy roles need.
Application Service privileges¶
Use these privileges to share, operate, and monitor deployed apps. For grant examples, see Access control for Snowflake App Runtime.
| Privilege | Effect |
|---|---|
| USAGE | Access public endpoints exposed by the service. |
| MONITOR | View runtime status and read container logs with SYSTEM$GET_APPLICATION_SERVICE_LOGS. |
| OPERATE | ALTER APPLICATION SERVICE (SUSPEND, RESUME, UPGRADE, SET, UNSET). |
| OWNERSHIP | DROP the service. The owning role also implicitly has every other privilege on the service. |
Deploy with the CLI¶
For the recommended team path (snow app setup then snow app deploy to shared
account defaults), you need:
- Account administrator setup completed (or equivalent account defaults and grants).
- A deploy role that was selected during that setup (or equivalent privileges).
- A project with a
snowflake.ymlfile fromsnow app setup.
Personal-database deploys don’t require administrator setup, but you can’t share apps deployed there. See Getting started with Snowflake App Runtime.
Deploy roles receive the grants they need during Snowsight setup. The managed
build service handles packaging when you run snow app deploy.
During public preview, Snowflake App Runtime uses managed compute pools only.
You don’t grant or select custom compute pools for snow app deploy.
Create an Application Service with SQL¶
If you run CREATE APPLICATION SERVICE directly (without
snow app deploy), the creating role needs the privileges listed on that
command page. Schema-level CREATE privileges for deploy roles are normally
granted during
account administrator setup.
Artifact repository privileges (SQL-only workflows)¶
The managed build service handles artifact repositories when you use
snow app deploy. You only need artifact repository privileges if you publish
packages or manage repositories with SQL. In that case, CREATE APPLICATION SERVICE may require READ on a repository that already contains the package.
See CREATE ARTIFACT REPOSITORY and
Artifact repository commands.