Snowpark Container Services: Changes to access control for services and endpoints¶

Changes to the privileges required to create and alter a service function¶

The privileges required to create or alter a service function are changing:

Before the change:

Privileges required to create and manage service functions:

• To create a service function: The current role must have the USAGE privilege on the service being referenced.

• To alter a service function: You can alter a service function and associate it with another service. The current role must have the USAGE privilege on that other service.

After the change:

Privileges required to create and manage service functions:

• To create a service function: The current role must have the USAGE privilege on the endpoint. You grant this privilege by granting the service role to the current role.

• To alter a service function: You can alter a service function and associate it with another endpoint. The current role must have been granted the service role with the USAGE privilege on the new endpoint being referenced.

Changes to the privileges required for ingress to a public endpoint¶

Users in the Snowflake account where the service is created can use ingress to a public endpoint. The privileges required to use the public endpoint are changing:

Before the change:

The current role must have the USAGE privilege on a service that exposes the endpoint.

After the change:

The current role must have the USAGE privilege on the endpoint. You grant this privilege by granting the service role to the current role.

Change to the SHOW ENDPOINTS command output¶

The list of endpoints returned by this command is changing:

Before the change:

Returns a list of all the endpoints associated with the service.

After the change:

Returns a list of endpoints associated with the service that the current role has USAGE privileges for.

Ref: 1611