Open in app

Sign in

Write

Sign in

Snowflake: Security — Custom Roles monitor Costs with Snowsight UI

Image generated by https://lumenor.ai/

As a part of the Snowflake Security series that you can follow here, in this post will describe what is the procedure you have to follow in order to provide your custom roles access to the Cost Management — Snowsight UI console.

This is an important use case due to you don’t want to allow to any CUSTOM role the ACCOUNT admin role. This scenario it will imply important security risks in your Snowflake Data Cloud platform. Any user with this role will be able to manage everything in your account, including destroy something, assign unlimited resources to warehouse generating unlimited costs, etc…

So we will focus on how it is important to manage accurately our Security in our platform, in order to provide a good RBAC hierarchy scenario, to allow the better comfort and use cases for your company. For better understanding on the Security Access Layer Framework, you can check the below article.

Our next steps

This article will be based on generate a role for your company, and apply the different privileges in order to provide them with the appropriate access in order to monitor the Snowsight UI — Costs Managment. In addition, it will be able to use some ACCOUNT_USAGE and ORGANIZATION_USAGE views.

In order to achieve our goal, we will follow the below steps:

  • Create a custom role
  • Assign the different privileges/ roles
  • Checking access to Snowsight UI — Cost Management

Create custom role

We will use SECURITYADMIN role, and it will be assigned directly to SYSADMIN on this article, but in real scenario you should define a hierarchy on this. For one example, check this article.

Let’s start coding!

USE ROLE SECURITYADMIN;

CREATE ROLE CUSTOM_BILLING_ROLE;

GRANT ROLE CUSTOM_BILLING_ROLE TO ROLE SYSADMIN;

GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE CUSTOM_BILLING_ROLE;

Assign the different privileges/ roles

In this point, we have to know that in order to access to the costs management, it will be need the access to the different views on SNOWFLAKE database.

On one side, it will be needed to access to some internal ACCOUNT_USAGE views. For this will we will need the below DATABASE ROLES:

  • SNOWFLAKE.USAGE_VIEWER: The USAGE_VIEWER role provides visibility into historical usage information
  • SNOWFLAKE.GOVERNANCE_VIEWER: The GOVERNANCE_VIEWER role provides visibility into policy related information

On the other side, it will be needed to access to some internal ORGANIZATION_USAGE views. For this will we will need the below DATABASE ROLES:

  • SNOWFLAKE.ORGANIZATION_USAGE_VIEWER: The ORGANIZATION USAGE_VIEWER role provides visibility into ORGANIZATION historical usage information related to the accounts
  • SNOWFLAKE.ORGANIZATION_BILLING_VIEWER: The ORGANIZATION_BILLING_VIEWER role provides visibility into billing related information to the accounts
  • SNOWFLAKE.ORGANIZATION_ACCOUNTS_VIEWER: The ORGANIZATION_ACCOUNTS_VIEWER role provides visibility into accounts attributes related information

Let’s start coding!

USE ROLE ACCOUNTADMIN;

GRANT DATABASE ROLE SNOWFLAKE.USAGE_VIEWER TO ROLE CUSTOM_BILLING_ROLE;--
GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE CUSTOM_BILLING_ROLE;--

GRANT DATABASE ROLE SNOWFLAKE.ORGANIZATION_BILLING_VIEWER TO ROLE CUSTOM_BILLING_ROLE;--
GRANT DATABASE ROLE SNOWFLAKE.ORGANIZATION_USAGE_VIEWER TO ROLE CUSTOM_BILLING_ROLE;--
GRANT DATABASE ROLE SNOWFLAKE.ORGANIZATION_ACCOUNTS_VIEWER TO ROLE CUSTOM_BILLING_ROLE;--

Now, we are going to check that all privileges have been correctly setup:

SHOW GRANTS TO ROLE CUSTOM_BILLING_ROLE;

Checking access to Snowsight UI — Cost Management

If you try access directly, a message it will show up on the pane that you can access the data! But don’t worry, calm down :)

The changes are not directly applied on the Snowsight, so you have to log out, and log in again. This is important step, and maybe a hands up scenario :S

But, as you can see below, that we have logged out and login again. And finally, we use our CUSTOM_BILLING_ROLE and we can see our precious Snowsight UI — Cost Management tab

Account Overview
Consumption Overview

Conclusions

Having a good Security strategy for our company and allow specific users ONLY monitor the budget on our accounts, is so important as the data itself, in order to minimize the risks. A good strategy in your company must be studied accurately, and allow your company to be flexible, Snowflake provides multiple methods to achieve boths objectives.

If you want to know more about security, please follow my Snowflake Security series.

About me

Subject Matter Expert on different Data Technologies, with 20+ years of experience in Data Adventures. I am a Snowflake Squad Team Founder and Snowflake Barcelona User Group — Chapter.

As a Data Vault Certified Practitioner, I have been leading Data Vault Architecures using Metadata Driven methodologies.

If you want to know more in detail about the aspects seen here, or other ones, you can follow me on medium || Linked-in here.

I hope you have joined and this can help you!

Snowflake
Security
Monitoring
Dashboard
Observability

--

--

Cesar Segura
Snowflake Builders Blog: Data Engineers, App Developers, AI/ML, & Data Science

Written by Cesar Segura

123 Followers
Writer for

SME @ SDG Group || Snowflake Architect || Snowflake Squad Spotlight Member || CDVP Data Vault

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams