Skip to main content

Role

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with roles:

  • Manage the lifecycle of new and existing roles
  • Manage the lifecycle of cloned roles
  • Manage grants of roles

Usage

- role:
name: <role-name>
<configuration-key>: <value>
roles:
- rel(role.<role-name>)
- rel(role.<role-name>)
users:
- rel(user.<user-name>)
- rel(user.<user-name>)

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
commentOptionalStringSpecifies a comment for the role
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
environmentOptionalStringSpecifies the environment in which the role is managed. Regex can be provided as well.
manage_modeOptionalString: all (default), none, grantsConfigures what properties to manage for the role.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), prefix, suffix, noneSpecifies whether prefix or suffix or both are to be added to role name - doesn't apply to default database
roles or granted_to_rolesOptionalListList of roles to which current roles are granted.
Caution: You cannot simultaneously use both configuration keys roles and granted_to_roles in a role configuration.
users or granted_to_usersOptionalListList of users to which current roles are granted.
Caution: You cannot simultaneously use both configuration keys users and granted_to_users in a role configuration.

Examples

Role creation

- role:
name: DEV_ROLE
comment: "Role for Ingestion Developers"

Role with grants to roles and users

- role:
name: MODELLING_ROLE
comment: "Role for Ingestion Developers"
roles:
- rel(role.INGESTION_ROLE)
- ACCOUNTADMIN
users:
- rel(user.DATAOPS_ADMIN)
- rel(user.INGESTION_USER)

Role revoking

Define an empty list for roles: under the name of a particular role to revoke it.

- role:
name: MODELLING_ROLE
comment: "Role for Ingestion Developers"
roles: []