CREATE APPLICATION ROLE

Creates a new application role or replaces an existing application role. Use application roles to enable access control security for objects within an application object.

See About application roles for more information.

Note

Application roles are only valid within the context of an application object.

When creating an application role, you can grant privileges on objects to the application role. Within the setup script, you can then grant the application role to other application roles.

After installing a Snowflake Native App, consumers can grant application roles to account roles to enable access to the app.

With application roles, you can grant privileges on other objects within the application or objects owned by the application in the consumer account.

Application roles are implicitly granted to the application owner WITH GRANT OPTION. The application owner may grant these roles to account level roles, providing access to the objects that are owned by the application.

See also:

ALTER APPLICATION ROLE, GRANT APPLICATION ROLE, REVOKE APPLICATION ROLE, SHOW APPLICATION ROLES

Syntax

CREATE [ OR REPLACE ] APPLICATION ROLE [ IF NOT EXISTS ] <name>
  [ COMMENT = '<string_literal>' ]
Copy

Required parameters

name

Specifies the identifier for the application role. This value must be unique within the application object in which the role is created.

The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

If the identifier is not fully qualified, in the form of application_name.application_role_name, the command creates the application role in the current application for the session.

For more details, see Identifier requirements.

Optional parameters

COMMENT = 'string_literal'

Specifies a comment for the application role.

Default: No value

Usage notes

  • The maximum number of application roles that can be created in an application object is 1000.

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.

  • CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

Examples

CREATE APPLICATION ROLE app_role
  COMMENT = 'Application role for the Hello Snowflake application.';
Copy