Snowflake RBAC CLI Documentation

Comprehensive guide for using the Snowflake Role-Based Access Control (RBAC) CLI to manage roles, privileges, and users.

CLI Actions

The CLI supports the following actions:

1. Create a Role: Define new roles for access control.
2. Grant Privileges: Assign permissions to roles for managing Snowflake resources.
3. Create a User: Add new users and associate them with roles.
4. Execute SQL Queries: Run custom SQL queries directly through the CLI.

Create a Role

Command:

python rbac_setup.py --action create_role --role <role_name>

Example:

To create a role data_engineer:

python rbac_setup.py --action create_role --role data_engineer

Grant Privileges to a Role

Command:

python rbac_setup.py --action grant_privileges --role <role_name> --privileges "<privilege_1>" "<privilege_2>" ...

Example:

To grant privileges to the data_engineer role:

python rbac_setup.py --action grant_privileges --role data_engineer --privileges "GRANT USAGE ON DATABASE TEST TO ROLE data_engineer;" "GRANT SELECT ON ALL TABLES IN SCHEMA PUBLIC TO ROLE data_engineer;"

Notes:

• Ensure the role exists before assigning privileges.
• Use the Create a Role command if the role hasn’t been created yet.

Create a User and Assign a Role

Command:

python rbac_setup.py --action create_user --user <username> --assign_role <role_name>

Example:

To create a user amruth and assign the data_engineer role:

python rbac_setup.py --action create_user --user amruth --assign_role data_engineer

Notes:

• Ensure the target role exists before assigning it to a user.
• Use the Create a Role command if the role hasn’t been created yet.

Execute SQL Queries

Command:

python rbac_setup.py --action execute_query --query "<sql_query>"

Example:

To create the database TEST:

python rbac_setup.py --action execute_query --query "CREATE DATABASE IF NOT EXISTS TEST;"

Verifying Results in Snowflake UI

After executing CLI commands, verify the results in the Snowflake Web UI as follows:

Roles

1. Go to Account > Roles.
2. Confirm the created roles (e.g., data_engineer, devops_engineer) are listed.
3. Click on a role to view details, including privileges granted.

Privileges

1. Navigate to Account > Roles.
2. Select a role (e.g., data_engineer) and view its Granted Privileges tab.
3. Alternatively, run the following query in the Worksheet tab:

   SHOW GRANTS ON ROLE data_engineer;

Users

1. Go to Account > Users.
2. Verify that the created users (e.g., amruth, krish) are listed.
3. Click on a user to view details, including assigned roles and privileges.

Example Workflow

Here’s a step-by-step workflow to create roles, assign privileges, and add users:

1. Create Roles:

   python rbac_setup.py --action create_role --role devops_engineer
   python rbac_setup.py --action create_role --role database_administrator
   python rbac_setup.py --action create_role --role data_engineer

2. Grant Privileges:

   python rbac_setup.py --action grant_privileges --role devops_engineer --privileges "GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE devops_engineer;" "GRANT CREATE SCHEMA ON DATABASE TEST TO ROLE devops_engineer;"
   python rbac_setup.py --action grant_privileges --role data_engineer --privileges "GRANT USAGE ON DATABASE TEST TO ROLE data_engineer;" "GRANT SELECT ON ALL TABLES IN SCHEMA PUBLIC TO ROLE data_engineer;"

3. Create Users:

   python rbac_setup.py --action create_user --user amruth --assign_role data_engineer
   python rbac_setup.py --action create_user --user hrishav --assign_role devops_engineer

4. Verify Results:

   • Check roles and users in Account > Roles and Users in the Snowflake UI.
   • Use the Worksheet tab to run queries like:

     SHOW GRANTS ON ROLE devops_engineer;
     SHOW GRANTS TO USER amruth;