I am using the below queries to create a share and add objects to it:
CREATE SHARE IF NOT EXISTS my_db_my_schema_my_table;
GRANT USAGE ON DATABASE my_db TO SHARE my_db_my_schema_my_table;
GRANT USAGE ON SCHEMA my_db.my_schema TO SHARE my_db_my_schema_my_table;
GRANT SELECT ON TABLE my_db.my_schema.my_table TO SHARE my_db_my_schema_my_table;
Now, I am using the below query to add the accounts:
ALTER SHARE my_db_my_schema_my_table ADD ACCOUNTS=AB60942;
This works fine. No errors. Also, I can see in the share details that this account name was added under Full Accounts.
Below are my current role permissions:
However, I am not able to see anything under the other account. What exactly am I missing here?
P.S: I am trying to refrain myself from using accountadmin role.
You must use the ACCOUNTADMIN role (or a role granted the IMPORT SHARES global privilege) to perform these tasks:
Do you see your shares in the available /inbound shares on the consumer account?
show shares;
Have you created a database from the share on the consumer account?
https://docs.snowflake.com/en/user-guide/data-share-consumers.html#creating-a-database-from-a-share
Are your consumer and the main account in the same region? If they are in different regions, follow this document: https://docs.snowflake.com/en/user-guide/secure-data-sharing-across-regions-plaforms.html
Related
I would like a new role which can query snowflake account usage. Currently only Account Admin have this privilege and don’t want to assign Account Admin for required users.
The IMPORTED PRIVILEGES grant would allow a non-admin role access to the SNOWFLAKE.ACCOUNT_USAGE schemas (docs). There is also a MONITOR USAGE global grant which allows similar billing and usage monitoring but through information_schema functions instead. See the documentation here -- particularly the table is helpful to explain the differences between these two options.
These are some of the more common built-in grant options for a billing-monitoring role, but if you need a more custom solution, you can always create some custom SQL (perhaps stored procedure and task for maintenance) that copies only the desired admin results from ACCOUNT_USAGE to a custom table/view. Then you can grant access to that custom object to your non-admins.
I'd like to list all outbound shares in my Snowflake account. I'm aware that I can use
show shares;
But per the Snowflake docs, "Executing this command using any role other than ACCOUNTADMIN returns empty results." I'd like to retrieve the list of shares from a less privileged role than ACCOUNTADMIN. How can I do this?
Note, in my case I don't have the option of setting up a job that runs as ACCOUNTADMIN to export the data from show shares to another table.
You may grant IMPORT SHARE privilege to a non-accountadmin role, any user with the role can perform the following tasks:
View all INBOUND shares (shared by provider accounts) and create databases for the shares.
View all OUTBOUND shares owned by the role.
Details: https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html#enabling-non-accountadmin-roles-to-perform-data-sharing-tasks
Can we grant direct select or insert access( with out creating a role ) to a user on a table ?
No, you cannot. Snowflake uses Role-based Access Control (RBAC):
https://docs.snowflake.com/en/user-guide/security-access-control-overview.html#access-control-framework
Therefore, all access on a table should be granted through a role.
https://docs.snowflake.com/en/sql-reference/ddl-user-security.html#access-control-management
Of course you can use "existing roles" instead of "creating a new one".
The short answer is NO - you can only grant access to a ROLE - never directly to a USER.
In Snowflake, everything is accessed via a ROLE. See this diagram:
RBAC: USERS, ROLES and SECURABLE OBJECTS
From this article: https://www.analytics.today/blog/introducing-snowflake-rbac
In summary:
USERS are granted one or more ROLES
A ROLE is granted PRIVILEGES (for example, insert, update, delete) on SECURABLE OBJECTS (for example a TABLE or VIEW)
Even the concept of OWNERSHIP is different in Snowflake. Every USER with the same ROLE shares access to the OBJECTS. This has some unusual results.
For example:
If a USER creates a TABLE - everyone with the same ROLE has OWNERSHIP on the table.
You can read more about Snowflake RBAC on this article - which also links to another two which explain best practices on how to deploy. https://www.analytics.today/blog/introducing-snowflake-rbac
While exploring Snowflake documentation on Audit Logging (user login history, object creation/deletion, query execution history etc), I found the below information.
But in my trail account, I didn't find any shared DB with name 'SNOWFLAKE'.
Would apreciate if someone can throw more light on this feature.
Neeraj
You need to choose the 'ACCOUNTADMIN' role in the context of your session to see that database.
You should set the ACCOUNTADMIN role in the context to access the SNOWFLAKE database.
Alternatively, As accountadmin, you can grant the privilege for viewing the data to other users as below.
Grant imported privileges on database snowflake to ; -- where is an existing/new role granted to
Changing the role in right upper corner is not sufficient. Yo uneed to change the role in the context.
After that, 'SNOWFLAKE' shared DB will be visible.
I have two Snowflake account and need to clone or copy the databases and tables on the same region.
Solutions that I am trying to replicate:
Data Sharing Intro Reference
I read that:
"Snowflake supports using grants to provide granular access control to
selected objects (schemas, tables, secure views, and secure UDFs) in
the database (i.e., you grant access privileges for one or more
specific objects within the database)."
It sounds like I could share a UDF with the database I want to share with the account, but read only features. This is confirmed:
" ...but cannot perform any of the DML tasks that are allowed in a
full account (data loading, insert, update, etc.)."
Setting up one account as a provider:
USE ROLE ACCOUNTADMIN;
CREATE MANAGED ACCOUNT reader_acct1
ADMIN_NAME = user1 , ADMIN_PASSWORD = 'Sdfed43da!44' ,
TYPE = READER;
//create share
CREATE SHARE Articlelibary_share;
GRANT USAGE ON DATABASE Snapshots TO SHARE Articlelibary_share;
GRANT USAGE ON SCHEMA Snapshots.public TO SHARE Articlelibary_share;
GRANT SELECT ON TABLE Snapshots.public.Articlelibary_TEST TO SHARE Articlelibary_share;
However the error I am getting the error in my worksheet that says:
SQL compilation error: Database 'SNAPSHOTS' does not exist or not
authorized.
What I have found is that when I am in the ACCOUNTADMIN role I can see the snapshot table, however, in the SYSADMIN I cannot see the the Snapshots table.
So, how can I fix the Database/Table permissions so that I can add it to the share?
The activities of creating a share and allowing access to other accounts has to be performed only by the ACCOUNTADMIN and that is the reason for the error that you are seeing.
From Documentation it is very clear :
https://docs.snowflake.net/manuals/user-guide/data-sharing-gs.html#getting-started-with-secure-data-sharing
To perform the tasks described in this topic, you must use the ACCOUNTADMIN role.