Skip to content

Configuration

Example setup

snowflake-sac-example.png

YAML Arguments

The YAML file describes the desired state of privileges within Snowflake. It is stored in a git repository. This file can be used to configure both functional roles as well as dependencies and additional grants for schema roles as shown in the last part of the following example.

Example functional role and privileges yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
it_developer:
  warehouses:
    - name: wh_xs
      usage: true
      operate: true
    - name: wh_xl
      usage: true
    - name: wh_xm
      operate: true
  databases:
    - name: dev_business
      owner: true
      schemas:
        - name: trading
          owner: true
        - name: logistics
          owner: true
    - name: prd_business
      schemas:
        - name: trading
          read: true
        - name: logistics
          read: true
          execute: true
  additional_grants:
    - GRANT USAGE ON EXTERNAL STAGE trading.load TO ROLE IT_DEVELOPER;
business_analyst:
  warehouses:
    - name: wh_xs
      usage: true
  databases:
    - name: prd_business
      schemas:
        - name: trading
          read: true
        - name: logistics
          read: true
rs_devdb_reporting_owner:
  warehouses:
    - name: wh_dev_reporting_xs
      usage: true
  databases:
    - name: devdb
      schemas:
        - name: core
          read: true

CLI Arguments

The CLI is called by the DevOps pipeline. CLI arguments can be set in the corresponding YAML file(see downloads).

Technical Role Generator

Argument Optional Description
git-root-path Path to where the model is stored respectively where the .git folder is located.
output-sql-path Path where it can save the output SQL to
database-model-filepath Relative path to database model file (from git-root-path).
database-filter-positive Regex expressions, use databases matched by the expression.
database-filter-negative Regex expressions, exclude databases matched by the expression.
git-tag-regex Regex expressions, should lead to the last deployment tag.
database-model-previous-filepath Relative path to previous database model file (from git-root-path). Can be used if database model file was moved.

Functional Role Generator and Privilege Manager

Argument Optional Description
git-root-path Path to where the model is stored respectively where the .git folder is located.
output-sql-path Path where it can save the output SQL to
func-model-filepath Relative path to functional role model YAML(from git-root-path).
git-tag-regex Regex expressions, should lead to the last deployment tag.
func-model-previous-filepath Relative path to previous functional role model YAML(from git-root-path). Can be used if functional role model file was moved.

Role Deployer

Argument Optional Description
input_sql_path Path where the sql script is stored.
snowflake-user The snowflake user the crawler should use. If not set is expected as CRAWLER_SNOWFLAKE_USER env variable.
snowflake-password The snowflake password the crawler should use. If not set is expected as CRAWLER_SNOWFLAKE_PASSWORD env variable.
snowflake-account The snowflake account the crawler should use. If not set is expected as CRAWLER_SNOWFLAKE_ACCOUNT env variable.
snowflake-warehouse The snowflake warehouse the crawler should use. If not set is expected as CRAWLER_SNOWFLAKE_WAREHOUSE env variable.
snowflake-role The snowflake role the crawler should use. Can also be set with the CRAWLER_SNOWFLAKE_ROLE env variable. If not set uses users default role.
existing-repository-json-path Reference an existing Repository json to update.