Secure Data Sharing with Snowflake Roles
PythonIn Snowflake, securing data and sharing it across different business units or with external consumers can be achieved through the creation of roles with specific access privileges. These roles can then be used to grant selective access to various Snowflake resources such as databases, schemas, tables, or even usage of warehouses.
Snowflake roles operate at different levels of hierarchy, where roles can be granted to other roles, allowing for flexible access control structures. The
snowflake.Role
resource allows you to create a role, while other resources likesnowflake.DatabaseGrant
,snowflake.SchemaGrant
, andsnowflake.Share
can be used to grant the newly created role, access to databases, schemas, and share data respectively.Below is a Pulumi program written in Python that demonstrates how you can create a role in Snowflake, and then grant it permissions to access a database, and share data.
import pulumi import pulumi_snowflake as snowflake # Create a new Snowflake role. my_role = snowflake.Role("MyRole", name="my_custom_role", comment="A custom role for data sharing" ) # Assume that there's an existing database called "my_database" for this example. # Grant the new role USAGE privilege on the database. database_grant = snowflake.DatabaseGrant("MyDatabaseGrant", database_name="my_database", # The name of the existing database. roles=[my_role.name], # The role you want to grant privileges to. privilege="USAGE" # The minimal privilege for a role to be able to access the database. ) # Assume that there's an existing schema called "public" within "my_database". # Grant the new role USAGE privilege on the schema. schema_grant = snowflake.SchemaGrant("MySchemaGrant", database_name="my_database", schema_name="public", # The name of the existing schema. roles=[my_role.name], privilege="USAGE" ) # To share data with another account, create a Snowflake share # and grant the role privilege to use the share. data_share = snowflake.Share("MyDataShare", name="my_data_share", accounts=["12345678"], # Account to share data with (use the correct account identifier). comment="Data share for cross-account access" ) # Export the role name to access it outside of Pulumi. pulumi.export("role_name", my_role.name) # Export the database and schema privilege grants. pulumi.export("database_grant_id", database_grant.id) pulumi.export("schema_grant_id", schema_grant.id) # Export the data share name. pulumi.export("data_share_name", data_share.name)
In this Pulumi program:
- A new role called
my_custom_role
is created for the purpose of data sharing. - The role is granted 'USAGE' privilege on an existing database named
my_database
. Note that you need to replace"my_database"
with the actual name of your database. - The role is also granted 'USAGE' privilege on an existing schema within the database. Here, the schema is assumed to be the
public
schema. Replace it with the actual schema name if different. - A Snowflake share is created to share data with another account. The
accounts
argument takes a list of account identifiers. Replace"12345678"
with the actual identifier(s) of the account(s) you want to share data with. - We then export various resource identifiers, which can be used to reference or manage these resources outside of Pulumi.
After running this program with Pulumi CLI, the resulting state will include a new role created in your Snowflake account with the necessary privileges to access specified database and schema, and you will have a share set up for secure data sharing with another Snowflake account. Use
pulumi up
to apply the changes and create the resources in your Snowflake account.Remember to replace placeholder values like
my_database
,public
, and12345678
with actual values from your Snowflake environment. Also, you'll need to have the Snowflake provider configured with credentials that have permissions to create roles and grants in your Snowflake account.- A new role called