I am facing below issue .
I created a role using ACCOUNTADMIN role in SnowSQL using below command .
CREATE ROLE TASK_USER_ROLE
I can see it from SnowSQL Terminal as below
Similarly , When i query same using Snowflake WebUI i can see it as below.
But If i try to switch to TASK_USER_ROLE , I can't see that role in Snowflake Web UI context.
I tried to switch to ACCOUNTADMIN role in Snowflake UI also .but Still no luck .
Any valid reason for this?? And How can we troubleshoot this ??
Thanks In Advance .
After closely looking at below image , I came to know that even if i created the role , have not granted that role to any role . That is the reason granted_to_roles field for that role is snowing 0. So i was not able to see same role in WebUI .
So i ran "GRANT ROLE TASK_USER_ROLE TO ROLE ACCOUNTADMIN;
After That i can see this in Web Ui as below
Related
I just set up my snowflake instance to use google auth. I can log in with my google account, query tables, create roles, etc... Today I ran into an issue (two of them actually).
I run this script
SET ROLE ACCOUNTADMIN;
CREATE WAREHOUSE IF NOT EXISTS joe;
When I am logged in with my Google Account, I get the error message:
SQL access control error: Insufficient privileges to operate on account 'XXX99999'
When I am logging in with my Snowflake native account, it works. Both accounts have the ACCOUNTADMIN role and are using it.
This is all in the classic interface. When trying to switch over to Snowsight, my google account cannot login in. I click the [Authenticate with Google] and the screen refreshes, no error, but not now the button is disabled.
For the first error, the reason is that the user does not have any roles that has the privileges on the account where the operation is being done. To overcome that you need to assign the right set of roles to the user coming from Google IDP.
Please check the following documentation which details the levels for each of the database objects that requires privileges: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax
For the second issue, which button is disabled "Snowsight" which is listed from Classic UI?
Please use the below scripts to create warehouse. You need to use role instead of set role.
use ROLE ACCOUNTADMIN; //To use accountadmin role
CREATE WAREHOUSE IF NOT EXISTS joe_wh; //to creare warehouse
To use SSO based login with Snowsight, Please migrate to advanced SAML as per
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-advanced.html#migrating-to-a-saml2-security-integration
I'm trying to add CREATE INTEGRATION ON ACCOUNT global privilege to a custom role and my role is ACCOUNTADMIN. But I'm getting "Grant not executed: Insufficient privileges." error. What am I doing wrong?
Screenshot
The role you have highlighted in red controls the role you're using for the buttons on the ribbon. It's different than the role you're using for the worksheet.
The role you're using for the worksheet is to the right, next to the "Select Warehouse" and "Select Database" options.
In this case, you're using the SECURITYADMIN role for the worksheet. You'll need to change that on the worksheet to use the ACCOUNTADMIN role there.
My recommendation is to use this syntax though to avoid ambiguity:
use role ACCOUNTADMIN;
--Do the action you need
use role SYSADMIN; -- Immediately switch away from ACCOUNTADMIN when done using it.
Think of ACCOUNTADMIN like root in Linux/Unix. Use it sparingly and get out quickly when done.
Please advice regarding below issue. I am new to Snowflake and learning and doing hands on. I created a new warehouse and database from Snowflake web-console under account admin role. I am trying to connect to SnowSQL client to stage my local files.I was able to connect successfully to SnowSQL and to new warehouse. But my new database which I created from Snowflake console is not listing in SnowSQL client. The database in console shows as accountadmin as role. So still not sure why it is not listing in SnowSQL CLI. Please advice?
Thanks,
Tanveer
Great to see you are learning Snowflake. I would suggest creating a role and then "grant role sysadmin to role yourrole. Use the same role in snowsql and you should any object created with that role. As Suzy mentioned, if the role you are using when logging into snowsql has not been granted the role of accountadmin, you will not see the tables created by accountadmin.
Thanks a lot to both of you for quick response. You both are correct. As I mentioned, in snowflake console I created the DB and tables from accountadmin role whereas in snowsql default role is sysadmin (I was unaware of this).So changed the role to sysadmin in snow sql to account admin role and it worked fine. And tried granting necessary priviliedge to sysadmin role in webconsole and that worked too. thanks a lot once again. Am closing this post.
While exploring Snowflake documentation on Audit Logging (user login history, object creation/deletion, query execution history etc), I found the below information.
But in my trail account, I didn't find any shared DB with name 'SNOWFLAKE'.
Would apreciate if someone can throw more light on this feature.
Neeraj
You need to choose the 'ACCOUNTADMIN' role in the context of your session to see that database.
You should set the ACCOUNTADMIN role in the context to access the SNOWFLAKE database.
Alternatively, As accountadmin, you can grant the privilege for viewing the data to other users as below.
Grant imported privileges on database snowflake to ; -- where is an existing/new role granted to
Changing the role in right upper corner is not sufficient. Yo uneed to change the role in the context.
After that, 'SNOWFLAKE' shared DB will be visible.
I am getting the error "SQL access control error: Insufficient privileges to operate on account 'XXXXXX'" when I try to create a role in Snowflake in order to get it connected to Segment.
I am following the Segment documentation here: https://segment.com/docs/connections/warehouses/catalog/snowflake/
And I am getting stuck when I run the command "CREATE ROLE "SEGMENT";"
Any help in how to get around this would be great. I am currently on the trial and was able to successfully create the data warehouse and database as per the segment instructions.
Thanks to Greg in the comments:
"An easy way to remember it is that the upper right role is for UI actions, while the lower one sets the context for the worksheet"
1) while I had the correct profile up here
2) once I clicked this
3) I did not have the right profile in here
After switching to ACCOUNTADMIN in 3) I was able to create the role.
screenshot of how I fixed it