Snowpark Container Services: Changes to access control for services and endpoints

Attention

This behavior change is in the 2024_04 bundle.

For the current status of the bundle, refer to Bundle History.

With this behavior change bundle, Snowpark Container Services now supports fine-grained access control allowing you to manage access privileges for endpoints that a service exposes. You can now grant a service role (defined in the service specification) access privileges to a specific endpoint and use service roles to control who can access the service endpoints.

Note

The owner role for a service always has access to that service’s endpoints. This change applies only if the current role is not the owner role.

Changes to the privileges required to create and alter a service function

The privileges required to create or alter a service function are changing:

Before the change:

Privileges required to create and manage service functions:

  • To create a service function: The current role must have the USAGE privilege on the service being referenced.

  • To alter a service function: You can alter a service function and associate it with another service. The current role must have the USAGE privilege on that other service.

After the change:

Privileges required to create and manage service functions:

  • To create a service function: The current role must have the USAGE privilege on the endpoint. You grant this privilege by granting the service role to the current role.

  • To alter a service function: You can alter a service function and associate it with another endpoint. The current role must have been granted the service role with the USAGE privilege on the new endpoint being referenced.

Changes to the privileges required for ingress to a public endpoint

Users in the Snowflake account where the service is created can use ingress to a public endpoint. The privileges required to use the public endpoint are changing:

Before the change:

The current role must have the USAGE privilege on a service that exposes the endpoint.

After the change:

The current role must have the USAGE privilege on the endpoint. You grant this privilege by granting the service role to the current role.

Change to the SHOW ENDPOINTS command output

The list of endpoints returned by this command is changing:

Before the change:

Returns a list of all the endpoints associated with the service.

After the change:

Returns a list of endpoints associated with the service that the current role has USAGE privileges for.

Ref: 1611