Requesting Global Privileges from Consumers¶
Preview Feature — Open
Available to accounts in all non-government AWS regions. For details on other supported cloud platforms contact your Snowflake representative.
This topic describes how providers can configure a Snowflake Native App to request account-level privileges from a consumer after the consumer install the app. These privileges allow the Snowflake Native App to perform tasks in the consumer account, for example creating a warehouse or a database.
If an installed application needs to perform tasks or create objects outside the context of the Snowflake Native App, the consumer must grant the privileges to allow the application to do so.
Workflow for Requesting Global Privileges from the Consumer¶
The following workflow outlines the how to configure your application to request global privileges.
Note
Refer to Creating a User Interface to Request Privileges and References for information on creating a user interface that allows consumers to grant privileges using Snowsight.
To request global privileges, the provider performs the following when developing and publishing a Snowflake Native App:
Determine the privileges required by the application.
For example, if your application needs to create a database in the consumer account, you must request that the consumer grant the CREATE DATABASE global privilege to the application.
Refer to Privileges the Provider Can Request from the Consumer for details on the global privileges an application can request.
Add the required privileges to the manifest file. Refer to Adding a Privilege Request to the Manifest File for details.
After installing the Snowflake Native App, the consumer performs the following:
Review the global privileges required by the application. For details, see Viewing the Privileges Requested by a Snowflake Native App.
Grant the global privileges on the application. See Granting Privileges to an Application for more information.
Privileges the Provider Can Request from the Consumer¶
The Snowflake Native App Framework allows providers to request the following global privileges from the consumer:
EXECUTE TASK
EXECUTE MANAGED TASK
CREATE WAREHOUSE
MANAGE WAREHOUSES
CREATE DATABASE
Providers can also request that the consumer grant IMPORTED PRIVILEGES on the SNOWFLAKE database to the application. Consumers can only grant this privilege using SQL commands. See Granting Privileges to an Application for details. This privilege cannot be granted in Snowsight.
Note
Granting IMPORTED PRIVILEGES allows the Snowflake Native App to see information about usage and costs associated with the consumer account. You should ensure that consumers are aware of this when publishing your Snowflake Native App.
Adding a Privilege Request to the Manifest File¶
The following example shows how to add the EXECUTE TASK privilege to the manifest.yml file:
privileges:
- EXECUTE TASK:
description: "Privilege to run tasks within the consumer account"
You can add any of the supported privileges in the same manner.
Viewing the Privileges Requested by a Snowflake Native App¶
When a provider specifies a privilege in the manifest.yml file, the privilege requests are
included as part of the installed Snowflake Native App. The consumer can view the privilege requests
after installing the app.
To view the global privileges required by a Snowflake Native App, run the SHOW PRIVILEGES command as shown in the following example:
SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Granting Privileges to an Application¶
After determining the privileges required by a Snowflake Native App, the consumer must then grant these privileges to the app.
To grant the global privilege request in the example above, the consumer runs the GRANT <privileges> command as shown in the following example:
GRANT CREATE DATABASE ON ACCOUNT TO APPLICATION hello_snowflake_app;
To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;