Snowflake App Runtime privileges

Snowflake App Runtime adds the Application Service object for running deployed apps. The deploy pipeline packages your application during the build phase and creates the service in the deploy phase. You don’t provision build or packaging infrastructure yourself.

We recommend account administrator setup so snow app setup and snow app deploy use shared account defaults. Until an administrator completes setup, deploys go to a personal database, which you can’t share with other roles.

This topic covers Application Service privileges and what deploy roles need.

Application Service privileges

Use these privileges to share, operate, and monitor deployed apps. For grant examples, see Access control for Snowflake App Runtime.

PrivilegeEffect
USAGEAccess public endpoints exposed by the service.
MONITOR

View runtime status and read container logs with SYSTEM$GET_APPLICATION_SERVICE_LOGS.

OPERATE

ALTER APPLICATION SERVICE (SUSPEND, RESUME, UPGRADE, SET, UNSET).

OWNERSHIP

DROP the service. The owning role also implicitly has every other privilege on the service.

Deploy with the CLI

For the recommended team path (snow app setup then snow app deploy to shared account defaults), you need:

  • Account administrator setup completed (or equivalent account defaults and grants).
  • A deploy role that was selected during that setup (or equivalent privileges).
  • A project with a snowflake.yml file from snow app setup.

Personal-database deploys don’t require administrator setup, but you can’t share apps deployed there. See Getting started with Snowflake App Runtime.

Deploy roles receive the grants they need during Snowsight setup. When you run snow app deploy, Snowflake provisions the artifact repository and runs the remote build for you.

Create an Application Service with SQL

If you run CREATE APPLICATION SERVICE directly (without snow app deploy), the creating role needs the privileges listed on that command page. Schema-level CREATE privileges for deploy roles are normally granted during account administrator setup.

Artifact repository privileges (SQL-only workflows)

The snow app deploy workflow provisions one artifact repository per application and runs the remote build for you. You only need artifact repository privileges if you publish packages or manage repositories with SQL. In that case, CREATE APPLICATION SERVICE may require READ on a repository that already contains the package. See CREATE ARTIFACT REPOSITORY and Artifact repository commands.

See also