Share
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with shares:
- Manage the lifecycle of new and existing shares
- Manage the lifecycle of a cloned share
Usage
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.
- Share in Current Configuration
- Share in SOLE for Data Products
shares:
<share-name>:
<configuration-key>: <value>
accounts:
- <organisation-name>.<account-name>
- share:
name: <share-name>
<configuration-key>: <value>
accounts:
- <organisation-name>.<account-name>
Supported parameters
The engine supports the parameters listed below.
Configuration Key | Required/Optional | Data Types and Values | Description |
---|---|---|---|
accounts | Optional | List of String | A list of accounts to be added to the share |
environment | Optional | String | Specifies the environment in which the Share is managed. Regex can be provided as well |
comment | Optional | String | Specifies a comment for the share |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the share. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), prefix , suffix , none | Specifies whether prefix or suffix or both are to be added to share name [doesn't apply to default database] |
share_restrictions | Optional | Boolean | Enables or disables adding a standard or enterprise consumer account to a share belonging to a business-critical data provider. You must set this parameter each time you are adding a new non-business critical consumer account to the share belonging to a business-critical provider. |
Examples
Share creation
- Share in Current Configuration
- Share in SOLE for Data Products
shares:
DEV_SHARE:
comment: "share for Ingestion Developers"
- share:
name: DEV_SHARE
comment: "share for Ingestion Developers"
Share with grants to accounts
- Share in Current Configuration
- Share in SOLE for Data Products
shares:
MODELLING_SHARE:
comment: "share for Ingestion Developers"
accounts:
- <organisation-name>.<account-name>
- <organisation-name>.<account-name>
- share:
name: MODELLING_SHARE
comment: "share for Ingestion Developers"
accounts:
- <organisation-name>.<account-name>
- <organisation-name>.<account-name>
It is not possible to grant access to the share for the account the share belongs to. Setting <account-name>
to the current account will throw an error.
Revoking accounts from a share
SOLE generates all object grants and revokes based on what you define in the Snowflake object configuration. It looks at the configuration and updates the object to match the configuration.
If the accounts
key is defined in a share, SOLE looks at the object configuration and grants access to the share only for the accounts listed in the configuration. Any account granted access to the share outside SOLE will stop having access.
In the same way, if the accounts
key isn't defined in a share, SOLE doesn't revoke the accounts from the share if they are added through Snowflake for example. In such a case, SOLE logs that revokes have to be performed but it doesn't do anything. Revokes are only performed if you define a list of accounts. SOLE uses this list to ensure that values in Snowflake match what you have defined in the object configuration.
To revoke all accounts on a share, you can define an empty list in the Snowflake object configuration. This will revoke all accounts set on the share, including those defined outside SOLE, as the following example shows:
- Share in Current Configuration
- Share in SOLE for Data Products
shares:
SHARE_1:
comment: "Share 1"
accounts: []
- share:
name: SHARE_1
comment: "Share 1"
accounts: []
Using an empty list to revoke accounts logs a single string "---REMOVE_ALL_ACCOUNTS---".
This string is used to ensure that all accounts are revoked.
Share with defined share_restrictions
- Share in Current Configuration
- Share in SOLE for Data Products
shares:
MODELLING_SHARE:
comment: "share for Ingestion Developers"
accounts:
- <organisation-name>.<account-name>
- <organisation-name>.<account-name>
share_restrictions: false
- share:
name: MODELLING_SHARE
comment: "share for Ingestion Developers"
accounts:
- <organisation-name>.<account-name>
- <organisation-name>.<account-name>
share_restrictions: false