I'd like to list all outbound shares in my Snowflake account. I'm aware that I can use
show shares;
But per the Snowflake docs, "Executing this command using any role other than ACCOUNTADMIN returns empty results." I'd like to retrieve the list of shares from a less privileged role than ACCOUNTADMIN. How can I do this?
Note, in my case I don't have the option of setting up a job that runs as ACCOUNTADMIN to export the data from show shares to another table.
You may grant IMPORT SHARE privilege to a non-accountadmin role, any user with the role can perform the following tasks:
View all INBOUND shares (shared by provider accounts) and create databases for the shares.
View all OUTBOUND shares owned by the role.
Details: https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html#enabling-non-accountadmin-roles-to-perform-data-sharing-tasks
Related
I am using the below queries to create a share and add objects to it:
CREATE SHARE IF NOT EXISTS my_db_my_schema_my_table;
GRANT USAGE ON DATABASE my_db TO SHARE my_db_my_schema_my_table;
GRANT USAGE ON SCHEMA my_db.my_schema TO SHARE my_db_my_schema_my_table;
GRANT SELECT ON TABLE my_db.my_schema.my_table TO SHARE my_db_my_schema_my_table;
Now, I am using the below query to add the accounts:
ALTER SHARE my_db_my_schema_my_table ADD ACCOUNTS=AB60942;
This works fine. No errors. Also, I can see in the share details that this account name was added under Full Accounts.
Below are my current role permissions:
However, I am not able to see anything under the other account. What exactly am I missing here?
P.S: I am trying to refrain myself from using accountadmin role.
You must use the ACCOUNTADMIN role (or a role granted the IMPORT SHARES global privilege) to perform these tasks:
Do you see your shares in the available /inbound shares on the consumer account?
show shares;
Have you created a database from the share on the consumer account?
https://docs.snowflake.com/en/user-guide/data-share-consumers.html#creating-a-database-from-a-share
Are your consumer and the main account in the same region? If they are in different regions, follow this document: https://docs.snowflake.com/en/user-guide/secure-data-sharing-across-regions-plaforms.html
I want to create a role on snowflake limited only to one database and one schema and give there a read access on all tables.
I create a role, grant:
grant usage on database1,
grant usage on database1.schema1,
grat select on all tables in database1.schema1,
and I grant usage and operate on one warehouse1.
However, additionally to this I am seeing also other databases and other schemas with this role, despite no grants were added, also there is additional warehouse to warehouse1.
How I can limit access with this role and not see something that appear as default
'databases' even for roles with no grants?
Regards
P
You will be able to find out what the role can and cannot do.
Check the which users and/or roles are granted the privilege of the role:
show grants of role ;
Then check what privileges were given to the role:
show grants to role ;
All the users are granted the PUBLIC role. Hence, never grant any privileges to the PUBLIC role, as this simply means giving the whole world access to a database, schema and tables/views etc.
I would like a new role which can query snowflake account usage. Currently only Account Admin have this privilege and don’t want to assign Account Admin for required users.
The IMPORTED PRIVILEGES grant would allow a non-admin role access to the SNOWFLAKE.ACCOUNT_USAGE schemas (docs). There is also a MONITOR USAGE global grant which allows similar billing and usage monitoring but through information_schema functions instead. See the documentation here -- particularly the table is helpful to explain the differences between these two options.
These are some of the more common built-in grant options for a billing-monitoring role, but if you need a more custom solution, you can always create some custom SQL (perhaps stored procedure and task for maintenance) that copies only the desired admin results from ACCOUNT_USAGE to a custom table/view. Then you can grant access to that custom object to your non-admins.
I am new to snowflake, As a DBA I got ACCOUNTADMIN access to start with. I have granted read access on information_schema.login_history and information_schema.query_history to our security application user, via a role.
The user is able to login and query above views. However, the account is not able to see all rows when query above views. Only returns login history of that user, query history of that user. I tested it from my end, switching role from ACCOUNTADMIN to the read role I have created, and I see the same thing.
Can anyone tell me what privileges I need to grant the role, so anyone using that role can see all login history?
There are two places where you can see login history -- in the Account Usage view or using the Information Schema table functions. The documentation here explains the differences.
After reviewing the differences, many customers will opt for giving non-admins access to Account_Usage views for auditing purposes. The grants needed for this are mentioned in the documentation here.
However, if you prefer giving the non-admin role access to the Information_Schema login_history table function, you may need to give a MONITOR grant on each desired user to this role as per the article here.
You need to grant monitor privileges to said role:
grant monitor usage on account to role custom;
This information can be accessed/viewed only by account administrators. To enable users who are not account administrators to access/view this information, Snowflake provides the global MONITOR USAGE privilege. Granting the MONITOR USAGE privilege to a role allows all users who are granted the role to access this historical/usage information.
In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.
Ref: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#enabling-non-account-administrators-to-monitor-usage-and-billing-history
I have two Snowflake account and need to clone or copy the databases and tables on the same region.
Solutions that I am trying to replicate:
Data Sharing Intro Reference
I read that:
"Snowflake supports using grants to provide granular access control to
selected objects (schemas, tables, secure views, and secure UDFs) in
the database (i.e., you grant access privileges for one or more
specific objects within the database)."
It sounds like I could share a UDF with the database I want to share with the account, but read only features. This is confirmed:
" ...but cannot perform any of the DML tasks that are allowed in a
full account (data loading, insert, update, etc.)."
Setting up one account as a provider:
USE ROLE ACCOUNTADMIN;
CREATE MANAGED ACCOUNT reader_acct1
ADMIN_NAME = user1 , ADMIN_PASSWORD = 'Sdfed43da!44' ,
TYPE = READER;
//create share
CREATE SHARE Articlelibary_share;
GRANT USAGE ON DATABASE Snapshots TO SHARE Articlelibary_share;
GRANT USAGE ON SCHEMA Snapshots.public TO SHARE Articlelibary_share;
GRANT SELECT ON TABLE Snapshots.public.Articlelibary_TEST TO SHARE Articlelibary_share;
However the error I am getting the error in my worksheet that says:
SQL compilation error: Database 'SNAPSHOTS' does not exist or not
authorized.
What I have found is that when I am in the ACCOUNTADMIN role I can see the snapshot table, however, in the SYSADMIN I cannot see the the Snapshots table.
So, how can I fix the Database/Table permissions so that I can add it to the share?
The activities of creating a share and allowing access to other accounts has to be performed only by the ACCOUNTADMIN and that is the reason for the error that you are seeing.
From Documentation it is very clear :
https://docs.snowflake.net/manuals/user-guide/data-sharing-gs.html#getting-started-with-secure-data-sharing
To perform the tasks described in this topic, you must use the ACCOUNTADMIN role.