Access control for Snowflake App Runtime¶

This topic describes common access control patterns for delegating operations and viewing access on Snowflake App Runtime. For the full list of privileges, see Snowflake App Runtime privileges.

Share view-only access to a running app¶

Grant USAGE on the Application Service, plus USAGE on the database and schema that contain it, to let a role open the app. In Cortex Code CLI or Cortex Code Desktop, you can ask the agent to grant access for other roles, or use the Apps view in Desktop to manage sharing.

GRANT USAGE ON DATABASE my_db TO ROLE app_viewer;
GRANT USAGE ON SCHEMA my_db.my_schema TO ROLE app_viewer;
GRANT USAGE ON APPLICATION SERVICE my_db.my_schema.my_app TO ROLE app_viewer;

Delegate lifecycle control¶

Grant OPERATE to let a role suspend, resume, upgrade, and configure the service without transferring ownership:

GRANT OPERATE ON APPLICATION SERVICE my_db.my_schema.my_app TO ROLE app_ops;

An OPERATE role can run:

ALTER APPLICATION SERVICE my_db.my_schema.my_app SUSPEND;
ALTER APPLICATION SERVICE my_db.my_schema.my_app RESUME;
ALTER APPLICATION SERVICE my_db.my_schema.my_app UPGRADE TO VERSION LATEST;
ALTER APPLICATION SERVICE my_db.my_schema.my_app SET AUTO_SUSPEND_SECS = 900;

Delegate monitoring¶

Grant MONITOR to let a role view runtime status and read container logs:

GRANT MONITOR ON APPLICATION SERVICE my_db.my_schema.my_app TO ROLE app_monitor;

Revoke access¶

REVOKE { USAGE | MONITOR | OPERATE }
  ON APPLICATION SERVICE my_db.my_schema.my_app
  FROM ROLE <role_name>;

Grant build permissions on a repository¶

To let a role push new builds into an artifact repository, grant READ and WRITE on the repository:

GRANT READ  ON ARTIFACT REPOSITORY my_db.my_schema.my_app_repo TO ROLE app_builder;
GRANT WRITE ON ARTIFACT REPOSITORY my_db.my_schema.my_app_repo TO ROLE app_builder;

For general RBAC concepts, see Overview of Access Control.