Understanding owner’s rights and Streamlit in Snowflake apps

Attention

This feature is available to accounts in AWS and Microsoft Azure commercial regions. AWS PrivateLink and Azure Private Link are not supported.

Introduction

The model for Streamlit in Snowflake closely maps to owner’s rights model in stored procedures. This eliminates the need for service account tokens and integrates with the authentication, access control, and network policy features that Snowflake provides.

About owner’s rights in Streamlit in Snowflake

Streamlit apps adhere to the following rules within a session:

  • Run with the privileges of the owner, not the privileges of the caller.

  • Run with the warehouse provisioned by the app owner.

  • Use the database and schema that the Streamlit in Snowflake app was created in, not the database and schema that the caller is currently using.

About app creation

The privilege to create a Streamlit app is granted at the schema level.

To create and edit a Streamlit app by using Streamlit in Snowflake, you must use a role that has either the OWNERSHIP privilege on the schema, or both of the following privileges:

  • Granted on the database that contains the Streamlit app:

    • USAGE

  • Granted on the schema that contains the Streamlit app:

    • USAGE

    • CREATE STREAMLIT

    • CREATE STAGE

When a Streamlit app is created, it runs with the role of the user who originally created the app.

Viewing an app

The app owner can choose which roles have permission to use the app.

  • Viewers can interact with the app and see anything displayed on the screen.

  • All of the app owner role’s privileges can be used by the app when shared with other roles, regardless of whether the privilege has WITH GRANT enabled.

Restrictions on owner’s rights

Because apps run with owner’s rights, they have several additional restrictions. These restrictions affect the following:

  • The built-in functions that can be called from inside a stored procedure are not available when a stored procedure is called in a Streamlit app.

  • The ability to execute ALTER USER statements.

  • The types of SQL statements that can be called from inside a stored procedure.

  • Some DESCRIBE commands.

For more information, see Additional Restrictions on Owner’s Rights Stored Procedures.

Owner’s rights and app security

Streamlit apps running in Streamlit in Snowflake run with owners rights and follow the same security model as other Snowflake objects that run with owner’s rights.

Although Snowflake provides security features like authentication, role-based access control, and admin controls, responsibility for the security of apps is shared with app creators and owners.

One or more roles can own a Streamlit app. Before you grant a role that owns a Streamlit app to another user, Snowflake recommends that you review the privileges granted to or inherited by that role for this reason.

Use caution, for example, when granting a role with write privileges to another Snowflake user. Write privileges allow the user to modify the Streamlit app.

In general, Snowflake recommends using role-based access control and dedicated roles for creating and viewing Streamlit apps. Additionally, you should follow appropriate security practices while developing Streamlit apps inside Snowflake and perform regular security audits of the Streamlit apps in your account.