Snowflake Native App
Required Post-Installation Setup: Granting Necessary Permissions
After successfully installing the starlake_app, you must execute a set of GRANT commands. These steps are essential to allow the application to perform its required functions within your Snowflake environment.
Why These Grants Are Necessary
The starlake_app is designed to operate securely within Snowflake. By default, applications installed from the Snowflake Marketplace have limited permissions.
These GRANT ... TO APPLICATION starlake_app commands do not give the application new, permanent,
or excessive rights to your account.
Instead, they activate a feature in Snowflake called caller's rights.
The Caller's Rights Principle
The application runs using the privileges of the user who calls it (the "caller").
These GRANT statements are simply delegating specific rights that you already possess (as the calling user)
to the application itself.
-
You maintain control: The application can only perform actions that the calling user is already authorized to do.
-
No elevated privileges: The application doesn't gain any rights beyond what the caller has; it just acts on your behalf.
-
Essential functionality: The application needs these delegated rights to create, manage, and interact with the data and resources it is designed to manage (like creating databases, running tasks, or reading data).
Security Reassurance
These grants are secure and do not give the application any new rights to your data that you do not already possess as the user.
The entire mechanism is built on Snowflake's Native App framework to ensure that:
-
Access is Inherited: The app's access is limited by the calling (connected) user's existing permissions. If you can't access a table, the app running on your behalf can't access it either.
-
No Permanent Privilege Escalation: The app cannot permanently grant itself, or any other user, higher privileges than the calling (connected) user possesses.
By executing these commands, you are simply enabling the starlake_app to operate within the constraints of each user's existing permissions.
Breakdown of the Commands
The required commands can be categorized by the type of permission they delegate:
1. Account-Level Operational Rights These grants allow the application to manage fundamental Snowflake objects and execute necessary processes.
| Command | Purpose |
|---|---|
GRANT CALLER CREATE DATABASE ON ACCOUNT TO APPLICATION starlake_app; | "Allows the app to create new databases within your account, a core requirement for setting up its environment." |
GRANT CALLER EXECUTE TASK ON ACCOUNT TO APPLICATION starlake_app; | "Permits the app to run scheduled tasks for data processing or maintenance jobs." |
GRANT CALLER EXECUTE MANAGED TASK ON ACCOUNT TO APPLICATION starlake_app; | "Same as the above, specifically for Managed Tasks, which are critical for automatic, scheduled data pipelines." |
GRANT CALLER READ SESSION ON ACCOUNT TO APPLICATION starlake_app; | "Allows the app to read session-specific information, which is often needed for logging or dynamic runtime adjustments." |
2. General Data Interaction Rights (Inherited Privileges) These grants are the most critical for data processing. They allow the application to interact with your data by inheriting the privileges of the calling user on various data objects.
The INHERITED CALLER PRIVILEGES keywords are the key: they ensure the application can view, query, or modify objects only if the calling user can.
Option A: Broad Inherited Privileges (All Objects in Account)
| Command | Purpose |
|---|---|
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL DATABASES IN ACCOUNT ... | Delegates the caller's rights to interact with all databases. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL SCHEMAS IN ACCOUNT ... | Delegates the caller's rights to interact with all schemas. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL TABLES IN ACCOUNT ... | Delegates the caller's rights to interact with all tables. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL VIEWS IN ACCOUNT ... | Delegates the caller's rights to interact with all views. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL FUNCTIONS ... | Delegates the caller's rights to execute all user-defined functions. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL PROCEDURES ... | Delegates the caller's rights to execute all stored procedures. |
Option B: Restricted Database Access
To limit the application's data access capabilities to only the DEV_DATABASE, you must execute the following modified commands. This is the preferred approach for applications that only require access to a specific "trust boundary."
The following grants replace IN ACCOUNT with IN DATABASE DEV_DATABASE and also explicitly grant the necessary USAGE on the database itself.
| Command | Privilege Delegated | Effect |
|---|---|---|
GRANT CALLER USAGE ON DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Grants the app permission to access the specified database. | Establishes the boundary: The app cannot access other databases. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL SCHEMAS IN DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Delegates all privileges on all current and future schemas within DEV_DATABASE. | Allows the app to see and use schemas only within this database. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL TABLES IN DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Delegates all privileges on all current and future tables within DEV_DATABASE. | Allows SELECT, INSERT, etc., only on tables in this database. |
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL VIEWS IN DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Delegates all privileges on all current and future views within DEV_DATABASE. | Allows access to views only in this database. |
GRANT INHERITED CALLER OWNERSHIP ON ALL TABLES IN DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Delegates ownership rights on all current and future tables within DEV_DATABASE. | Allows the app to manage (DROP, ALTER) tables only in this database. |
GRANT INHERITED CALLER OWNERSHIP ON ALL SCHEMAS IN DATABASE DEV_DATABASE TO APPLICATION starlake_app; | Delegates ownership rights on all current and future schemas within DEV_DATABASE. | Allows the app to manage (DROP, ALTER) schemas only in this database. |
3. Warehouse Usage and Ownership
| Command | Purpose |
|---|---|
GRANT CALLER USAGE ON WAREHOUSE COMPUTE_WH TO APPLICATION starlake_app; | Grants the app permission to use the specified warehouse (COMPUTE_WH) to run its data processing queries. Billing for this usage is tied to your account. |
GRANT INHERITED CALLER OWNERSHIP ON ALL TABLES IN ACCOUNT ... | Allows the application to act as the owner for tables it manages or creates. This is often required for the application to be able to DROP (delete), alter, or fully manage its own objects. |
GRANT INHERITED CALLER OWNERSHIP ON ALL SCHEMAS IN ACCOUNT ... | Allows the application to act as the owner for schemas it manages or creates, for similar reasons as tables (e.g., dropping or altering). |