Restricted caller’s rights and Streamlit in Snowflake¶

By default, all Streamlit in Snowflake apps run with the privileges of the owner, not the privileges of the caller. The Streamlit app developer can define whether a container-runtime app runs with owner’s rights or restricted caller’s rights. Restricted caller’s rights aren’t supported in warehouse runtimes.

Restricted caller’s rights allow a Streamlit app to run with caller’s rights, but restrict which of the caller’s privileges the app runs with. With restricted caller’s rights, a Streamlit app can’t run with a specific privilege unless an administrator expressly allows it. Administrators use caller grants to define which of the caller’s privileges an app can run with. This way, Streamlit apps only access data (on behalf of the viewer) that they are authorized to access.

For more information, see Restricted caller’s rights.

Required caller grants¶

To access any tables, stored procedures, or warehouses on behalf of the viewer, the Streamlit app developer must have the caller grants granted by a user with the MANAGE CALLER GRANTS privilege.

Example workflow¶

The administrator grants the MANAGE CALLER GRANTS privilege to the data_science_manager role:
```
GRANT MANAGE CALLER GRANTS ON ACCOUNT TO ROLE data_science_manager;
```
Copy
A user with the data_science_manager role grants the following privileges to the streamlit_app_developer role:
- Caller select privileges to the streamlit_app_developer role so that Streamlit apps owned by that role that access the streamlit_db.streamlit_schema.streamlit_table table can run with the SELECT privilege on that table:
  GRANT CALLER SELECT ON TABLE streamlit_db.streamlit_schema.streamlit_table TO ROLE streamlit_app_developer;
  Copy
- Caller usage privileges to the streamlit_app_developer role to use the streamlit_wh warehouse:
  GRANT CALLER USAGE ON WAREHOUSE streamlit_wh TO ROLE streamlit_app_developer;
  Copy

For more information about caller grants, see About caller grants and GRANT CALLER.

Use cases for restricted caller’s rights in Streamlit in Snowflake¶

Restricted caller’s rights in Streamlit in Snowflake let you control the following:

Which pages of a Streamlit app are available
Which data in the Streamlit app is available
Which data with row access policies the CURRENT_ROLE can access
Which warehouses are accessible
Which stored procedures can be called in a Streamlit app

Restricted caller’s rights in container runtimes¶

In container runtimes, you can combine owner’s rights and restricted caller’s rights in the same app.

To create a connection that uses owner’s rights, use st.connection("snowflake").
To create a connection that uses restricted caller’s rights, use st.connection("snowflake-callers-rights").

For more information, see st.connection and SnowflakeConnection in the Streamlit documentation.

The following example shows how to create a caller’s rights connection:

import streamlit as st

conn = st.connection("snowflake-callers-rights")
df = conn.query("SELECT CURRENT_USER()")
st.write(f"Running as: {df[0][0]}")

Copy

Tips and limitations for using restricted caller’s rights in container runtimes¶

The token provided in the Sf-Context-Current-User-Token header is only valid for two minutes and is created at the start of the app session. Create any caller’s rights connections at the top of your app script and not behind if-else blocks or pages.
Restricted caller’s rights connections use the viewer’s default role and not the role they have selected in Snowsight.
You can use both restricted caller’s rights connections and regular owner’s rights connections in the same app by creating multiple connections.
Restricted caller’s rights connections only work when your app is using a container runtime. If you try to use a restricted caller’s rights connection in a local development environment or in a warehouse-runtime environment, you will get an error.
Restricted caller’s rights don’t support secondary roles.

Important

Restricted caller’s rights connections are session-scoped. If you need to cache data returned from a restricted caller’s rights connection, you must use session-scoping in the cache decorator. This prevents data from being shared between sessions. To use session-scoping with caching, set scope="session" in the caching decorator. For more information, see st.cache_data in the Streamlit documentation.