Snowflake

Suggest Edits

Create read-only user

Create a dedicated Teleskope user with a default warehouse set.
For each snowflake warehouse and database, grant the Teleskope user read only access.

Teleskope also needs read access to the accounts_usage schemas to determine when a data asset was last used.

use role ACCOUNTADMIN;

set role =teleskope_role;
set user =teleskope;
set password ='{password}';

create role if not exists identifier($role);

set warehouse ='{warehouse}';

--for each database
set database ='{database}';

grant usage on warehouse identifier($warehouse) to role identifier($role);
grant usage on database identifier($database) to role identifier($role);    
grant usage on all schemas in database identifier($database) to role identifier($role);
grant usage on future schemas in database identifier($database) to role identifier($role);
grant select on future tables in database identifier($database) to role identifier($role);
grant select on all tables in database identifier($database) to role identifier($role);                           
grant select on future views in database identifier($database) to role identifier($role);         
grant select on all views in database identifier($database) to role identifier($role); 
          
create user identifier($user) 
  password = $password
  default_warehouse = $warehouse
  default_role = $role
  comment ='Teleskope read only user';

grant role identifier($role) to user identifier($user);

Create read-write user

If enrolling in the dsr funcionality, create a dedicated read/write Teleskope user.

For each snowflake warehouse and database, grant the Teleskope user access.

use role ACCOUNTADMIN;

set role ='teleskope_role';
set user ='teleskope';
set password ='{password}';

create role if not exists identifier($role);

set warehouse ='{warehouse}';

-- for database

set database ='{database}';

grant usage on warehouse identifier($warehouse) to role identifier($role);
grant usage on database identifier($database) to role identifier($role);    
grant usage on all schemas in database identifier($database) to role identifier($role);
grant usage on future schemas in database identifier($database) to role identifier($role);
grant select, delete on future tables in database identifier($database) to role identifier($role);
grant select, delete on all tables in database identifier($database) to role identifier($role);                           
grant select, delete on future views in database identifier($database) to role identifier($role);         
grant select, delete  on all views in database identifier($database) to role identifier($role); 
          
create user identifier($user) 
  password = $password
  default_warehouse = $warehouse
  default_role = $role
  comment ='Teleskope read only user';

grant role identifier($role) to user identifier($user);

Updated about 1 month ago