Skip to content

Requirements

  • DevOps Pipeline (cloud execution)
    • See downloads section for example
    • Build-Service needs Contributor privileges on source git repository
  • Snowflake technical user
    • With privileges to create roles (CREATE ROLE ON ACCOUNT)
    • With permissions to grant privileges on all databases and schemas it should control, either
      • manage all grants on the account (MANAGE GRANTS ON ACCOUNT), or
      • ownership on all schemas it is supposed to operate on (GRANT OWNERSHIP ON SCHEMA/DATABASE). Keep in mind that it is actually the pipeline's job to set this, so it can be a chicken-and-egg problem.
    • With permissions to see at least on table per schema it is supposed to manage, either
      • SYSADMIN, or
      • USAGE ON DATABASE, USAGE ON SCHEMA, SELECT ON TABLE. Keep in mind that it is actually the pipeline's job to set this, so it can be a chicken-and-egg problem.
    • With permissions to use a warehouse (XS size is sufficient)

Permissions example

USE ROLE SECURITYADMIN;
CREATE USER U_T_CLOE_PERMISSIONS WITH PASSWORD = '';
CREATE ROLE R_T_CLOE_PERMISSIONS;
GRANT ROLE R_T_CLOE_PERMISSIONS TO ROLE ACCOUNTADMIN;
GRANT ROLE R_T_CLOE_PERMISSIONS TO USER U_T_CLOE_PERMISSIONS;
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE R_T_CLOE_PERMISSIONS;
GRANT CREATE ROLE ON ACCOUNT TO ROLE R_T_CLOE_PERMISSIONS;
GRANT ROLE SYSADMIN TO ROLE R_T_CLOE_PERMISSIONS;
USE ROLE SYSADMIN;
CREATE WAREHOUSE WH_CLOE_PERMISSIONS WITH WAREHOUSE_SIZE=XSMALL INITIALLY_SUSPENDED=TRUE;
GRANT USAGE ON WAREHOUSE WH_CLOE_PERMISSIONS TO ROLE R_T_CLOE_PERMISSIONS;