Allow access to a consumer account¶
This topic describes how a consumer can allow a Snowflake Native App to create and access objects in their account. This includes granting the privileges requested by an app or enabling access to existing objects by using references. It also describes how to allow an app to use external and Apache Iceberg™ tables that a provider shares in the app.
Privileges and references requested by an app¶
In a simple Snowflake Native App, all of the objects required by the app are created inside the application object when the setup script runs during installation. All of the objects required by the app are created in and accessed within the installed app. The consumer does not need to perform any actions in their account.
However, some apps might ask the consumer to perform the following types of actions in their account:
Create a database or warehouse.
Execute tasks.
Access existing objects, for example a table.
There are two types of access that a Snowflake Native App can request:
Privileges that allow the app to perform some account-level operations. An app can request the following global privileges:
EXECUTE TASK
EXECUTE MANAGED TASK
CREATE WAREHOUSE
MANAGE WAREHOUSES
CREATE DATABASE
CREATE COMPUTE POOL
BIND SERVICE ENDPOINT
READ SESSION
Some apps might also request the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database. Refer to Grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database for details.
References that allow the app to access objects that already exist in the consumer account and are outside the application object. A provider defines the references required by the app in the
manifest.yml
file.After installing the app, the consumer can authorize access on an object by creating a reference that associates the object to the app.
An app can request access to the following types of objects and their corresponding privileges:
Object Type
Privileges Allowed
TABLE
SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES
VIEW
SELECT, REFERENCES
EXTERNAL TABLE
SELECT, REFERENCES
FUNCTION
USAGE
PROCEDURE
USAGE
WAREHOUSE
MODIFY, MONITOR, USAGE, OPERATE
API INTEGRATION
USAGE
A consumer can approve these requests using Snowsight or by running SQL commands as described in the following sections.
Note
If you do not grant the requested privileges or associate references on the requested object to the app, parts of the app may not function correctly.
Manage access requests using Snowsight¶
If a provider implements a user interface in a Snowflake Native App, a consumer may perform the following using Snowsight.
View and grant global privileges.
Authorize access to existing objects in the consumer account.
Grant global privileges¶
To grant privileges or create references after installing an app, do the following:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the app.
Select the Settings icon in the toolbar.
Select the Privileges tab.
The account level permissions requested by the app appear under Account level privileges
In the Account-level privileges section, select Review, and then toggle the slider for each privilege that you want to grant.
Select Save.
Revoke privileges and access to objects¶
To revoke privileges or remove access to objects, do the following:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the app.
Select the Settings icon in the toolbar.
Select the Privileges tab.
To revoke a global privilege, select the Edit button, then toggle the slider for the privilege you want to revoke.
To revoke access from a specific object, select the Delete button, then select Revoke Privilege.
Note
Revoking privileges or removing access from objects can cause the app to become unstable or stop working.
Manage privileges for an app by using SQL commands¶
If your app developer does not implement an interface for granting privileges, you must manage access requests for the app using SQL commands.
View the privileges requested by an app¶
When a provider specifies the privileges required by the app, the privilege request is included as part of the installed app. You can view these privileges after installing the app.
To view the privileges required by an app, run the SHOW PRIVILEGES command as shown in the following example:
SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Grant privileges to a Snowflake Native App¶
After a consumer determines the privileges requested by an app, they can grant those privileges to the app.
For example, to grant the EXECUTE TASK privilege to an app, run the GRANT PRIVILEGE command as shown in the following example:
GRANT EXECUTE TASK ON ACCOUNT TO APPLICATION hello_snowflake_app;
Grant the MANAGE WAREHOUSES privilege to a Snowflake Native App¶
The MANAGE WAREHOUSES privilege allows an app to create, modify, and use warehouses within the consumer account. To grant the MANAGE WAREHOUSES privilege to an app, use the GRANT as shown in the following example:
GRANT MANAGE WAREHOUSES ON ACCOUNT TO APPLICATION hello_snowflake_app;
Grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database¶
Some apps might request that a consumer grants the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database in their account. This privilege can only be granted using SQL commands. It cannot be granted using Snowsight. If an app requires this privilege, the provider should communicate this requirement to the consumer, for example, in the README file of the app.
To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;
Note
The IMPORTED PRIVILEGES privilege allows the app to access information about usage and costs associated with the consumer account. A consumer should ensure that they want to share this information with the app before granting this privilege.
Enable external and Apache Iceberg™ tables¶
The Snowflake Native App Framework allows providers to share external and Apache Iceberg™ tables in the provider shares with consumers in the app. However, consumers must give the app permission to access these tables.
Security and cost considerations¶
When allowing an app to accesses an external or Iceberg table, consumers should be aware of the following:
External and Iceberg tables may pose data exfiltration risks to the consumer. For example, if an app exposes a view that contains an external table, a provider may be able to determine the types of queries the consumer makes by using their cloud provider access logs.
External and Iceberg tables may incur additional costs related to egress and ingress usage if the object store containing the table is not in the same region where the app is published.
Enable external and Iceberg tables using Snowsight¶
Providers can configure the app to display a dialog to all consumers to allow an app to access an external or Iceberg tables.
To allow an app to access to an external or Iceberg table:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the app.
Select the Settings icon in the toolbar.
Select the Privileges tab.
Under External data access, select Review.
Select Enable.
Enable external and Iceberg tables using SQL¶
To enable access to external and Iceberg tables by using SQL use the SET_APPLICATION_RESTRICTED_FEATURE_ACCESS system function as shown in the following example:
SELECT SYSTEM$SET_APPLICATION_RESTRICTED_FEATURE_ACCESS(hello_snowflake_app, 'external_data', ‘{"allowed_cloud_providers" : "all"}’);
This command allows the hello_snowflake_app
app to access the external or Iceberg tables in the
that the app uses.
To determine if external and Iceberg tables have been enabled for an app, use the LIST_APPLICATION_RESTRICTED_FEATURES system function as shown in the following example:
SYSTEM$LIST_APPLICATION_RESTRICTED_FEATURES('hello_snowflake_app')
This system function returns a JSON object that indicates if external and Iceberg tables are allowed
the for the hello_snowflake_app
.