SnowDDL
  • 👋Introduction
  • 🚩Getting started
  • 📋Main features
  • 🪤SnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • 📦Object types
    • 🎭Role hierarchy
    • 🚧Permission model
    • 🔦Other guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • 💻CLI interface
    • 📦YAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷️YAML placeholders
    • 📬YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • 🦀Overview
  • Advanced usage (Python)
    • ⚙️Programmatic config
    • 🐍Architecture overview
      • 🔵Blueprints
      • 🟣Config
      • 🟠Parsers
      • 🟢Resolvers
      • 🔴Engine
    • 🏗️Query builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  • 1) Role with SYSADMIN + SECURITYADMIN
  • 2) Role with ACCOUNTADMIN
  • Administration WAREHOUSE
  • Shares
  1. In-depth guides
  2. Other guides

Administration user

PreviousOther guidesNextIntegrations

Last updated 2 months ago

Administration permissions in Snowflake is a .

SnowDDL suggests two main options to set up the admin user, each having its own pros and cons.

1) Role with SYSADMIN + SECURITYADMIN

Create a dedicated USER and ROLE for SnowDDL. Grant roles SYSADMIN and SECURITYADMIN to it.

USE ROLE ACCOUNTADMIN;

CREATE ROLE SNOWDDL_ADMIN;

GRANT ROLE SYSADMIN TO ROLE SNOWDDL_ADMIN;
GRANT ROLE SECURITYADMIN TO ROLE SNOWDDL_ADMIN;

CREATE USER SNOWDDL
TYPE = SERVICE
RSA_PUBLIC_KEY = '<rsa_public_key>'
DEFAULT_ROLE = SNOWDDL_ADMIN;

GRANT ROLE SNOWDDL_ADMIN TO USER SNOWDDL;
GRANT ROLE SNOWDDL_ADMIN TO ROLE ACCOUNTADMIN;

Pros:

  • SnowDDL will only manage objects created by SNOWDDL_ADMIN role. You will be able to have other databases, warehouses, users, roles created manually or by other tools (e.g. Fivetran).

  • ACCOUNTADMIN will have full access to objects created by SNOWDDL_ADMIN.

  • SnowDDL will be able to create and alter most objects types.

Cons:

  • SnowDDL will not be able to apply changes for some object types, like ACCOUNT_PARAMETER, RESOURCE_MONITOR. But SnowDDL will be able to "suggest" changes, which can be reviewed and applied manually by user with ACCOUNTADMIN role.

2) Role with ACCOUNTADMIN

Create a dedicated USER and ROLE for SnowDDL. Grant role ACCOUNTADMIN to it.

USE ROLE ACCOUNTADMIN;

CREATE ROLE SNOWDDL_ADMIN;
GRANT ROLE ACCOUNTADMIN TO ROLE SNOWDDL_ADMIN;

CREATE USER SNOWDDL
TYPE = SERVICE
RSA_PUBLIC_KEY = '<rsa_public_key>'
DEFAULT_ROLE = SNOWDDL_ADMIN;

GRANT ROLE SNOWDDL_ADMIN TO USER SNOWDDL;

Pros:

  • SnowDDL will be able to apply changes to all object types.

  • It will be possible to manage Snowflake accounts in fully automated way, without any kind of "review" and manual application of DDL queries by humans.

Cons:

  • You may apply some unwanted changes to ACCOUNT_PARAMETER, NETWORK_POLICY or RESOURCE_MONITOR, which may cause security issues, damage your data or make you spend too much credits.

  • ACCOUNTADMIN role will no longer be an "ultimate admin" role. It is not possible to grant ACCOUNTADMIN to SNOWDDL_ADMIN and grant SNOWDDL_ADMIN to ACCOUNTADMIN at the same time due to circular dependency. ACCOUNTADMN will not be able to access objects created by SNOWDDL_ADMIN.

Do not grant ACCOUNTADMIN role directly to SNOWDDL user. It may cause SnowDDL to wipe all users and data on your account, if not configured properly. Always create a dedicated role for SnowDDL.

Administration WAREHOUSE

SnowDDL does not require an active warehouse for most operations. But a very few use cases still require an active warehouse, such as:

  • CREATE OR REPLACE TABLE AS SELECT ... when ALTER TABLE is not available.

  • Management of MASKING POLICIES and ROW ACCESS POLICIES, due to calls to table function POLICY_REFERENCES.

In order to cover these use cases, you should create a WAREHOUSE and assign it to SnowDDL user and role. Please adjust warehouse size accordingly.

USE ROLE ACCOUNTADMIN;

CREATE WAREHOUSE SNOWDDL_WH
WAREHOUSE_SIZE = 'XSMALL'
AUTO_SUSPEND = 60
AUTO_RESUME = TRUE
INITIALLY_SUSPENDED = TRUE;

GRANT USAGE, OPERATE ON WAREHOUSE SNOWDDL_WH TO ROLE SNOWDDL_ADMIN;

ALTER USER SNOWDDL SET DEFAULT_WAREHOUSE = SNOWDDL_WH;

Do not create administration warehouse using SnowDDL config. Unlike warehouses created by ACCOUNTADMIN, warehouses from config can be created or dropped automatically at any time.

Shares

GRANT CREATE SHARE ON ACCOUNT TO ROLE SNOWDDL_ADMIN;

It may be also required to grant OVERRIDE SHARE RESTRICTIONS if you want to share data from Business Critical edition account to lower edition account(s):

GRANT OVERRIDE SHARE RESTRICTIONS ON ACCOUNT TO ROLE SNOWDDL_ADMIN;

Additional privileges are required to process :

🔦
complicated topic
outbound shares