Allow an app to create resources in the consumer account¶

Overview of automated granting of privileges¶

Often, an app needs to create or access objects or perform other actions in a consumer account. This requires the consumer to grant the required privileges that allow the app to perform these actions.

Auto privileges allow providers to specify the required privileges in the manifest file of an app. When the consumer installs or upgrades an app, the privileges specified in the manifest are automatically granted to the app by Snowflake.

Privileges granted by automated granting of privileges¶

When using automated granting of privileges, a provider can add the following privileges to the manifest file of the app:

• EXECUTE TASK

• EXECUTE MANAGED TASK

• CREATE WAREHOUSE

• CREATE COMPUTE POOL

• BIND SERVICE ENDPOINT

• CREATE DATABASE

• CREATE EXTERNAL ACCESS INTEGRATION

• CREATE SECURITY INTEGRATION

Restrictions on the CREATE EXTERNAL ACCESS INTEGRATION and CREATE SECURITY INTEGRATION¶

The CREATE EXTERNAL ACCESS INTEGRATION and CREATE SECURITY INTEGRATION privileges allows an app to create the objects in the consumer account that are required to connect to an external endpoint. However, to allow connections to an external endpoint, consumers must also approve the app specification which allows the app to connect to external hosts. If a consumer does not approve the app specification, the external connection remains disabled.

For more information, see Approve connections to external resources using app specifications.