PYPI_REPOSITORY_USER database role granted to the PUBLIC role¶

Users must have the PYPI_REPOSITORY_USER database role to use packages from the shared PyPI repository when creating Python UDFs, UDTFs, UDAFs, and stored procedures. This change affects which roles have the PYPI_REPOSITORY_USER database role by default.

Before the change:

Access to the shared PyPI repository (snowflake.snowpark.pypi_shared_repository) is opt-in. Account administrators must explicitly grant the PYPI_REPOSITORY_USER database role before users can use packages from the shared PyPI repository:

CopyExpand

GRANT DATABASE ROLE snowflake.snowpark.pypi_repository_user TO ROLE my_role;

Show lessSee more

Scroll to top

After the change:

For new accounts, Snowflake grants the PYPI_REPOSITORY_USER database role to the PUBLIC role during account creation, so all users in the account can use the shared PyPI repository by default.

For existing accounts, a one-time backfill grants the PYPI_REPOSITORY_USER database role to the PUBLIC role.

This means a user can use any role to create Python functions and procedures that use packages from the shared PyPI repository without requiring an explicit grant from an account administrator.

If you want to restrict access to the shared PyPI repository after this change, you can either proactively opt out or reactively revoke access:

-- Proactive opt-out via account parameter (only available before the change is rolled out)
ALTER ACCOUNT SET DISABLE_PYPI_REPOSITORY_USER_PUBLIC_GRANT = TRUE;

-- Reactive revocation
REVOKE DATABASE ROLE snowflake.snowpark.pypi_repository_user FROM ROLE PUBLIC;

-- Optionally grant to specific roles
GRANT DATABASE ROLE snowflake.snowpark.pypi_repository_user TO ROLE data_science;

Ref: 2280