Skip to main content
Snowflake access control works by giving roles sets of privileges on certain objects (databases, schema, tables, and so on). For example, CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by , can then create tables. The ALL privilege gives a role every relevant available privilege on an object. To connect your Snowflake account to , the Snowflake role must have certain privileges enabled. Some examples are listed below. Matillion recommends using a custom Snowflake role created specifically for , rather than a role such as PUBLIC. Read GRANT <privileges> … TO ROLE to learn how to grant privileges to a role.

Required roles

Below is a table of role privileges required for optimal use of . Omitting privileges may come at the cost of features within .
PrivilegeObjectDescription
ALLTableGrants all privileges, except OWNERSHIP, on a table.
ALLExternal TableGrants all privileges, except OWNERSHIP, on an external table.
ALLViewGrants all privileges, except OWNERSHIP, on a view.
ALLSchemaGrants all privileges, except OWNERSHIP, on a schema.
ALLStageCreation and general use of Snowflake stages.
The following sections offer some examples of how to grant these privileges.

Warehouse

Grant Usage on warehouse: 
GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;
Grant Operate on warehouse: 
GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Database

Grant Usage on database: 
GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;

Schema

Grant All on schema: 
GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;

Table

Grant delete on tables in schema: 
GRANT DELETE ON ALL TABLES IN SCHEMA <schema-name> TO ROLE <role-name>;

Authentication methods

currently supports the username/password and key-pair authentication methods for Snowflake. If using key-pair authentication, read Using Snowflake key-pair authentication to learn how to configure the necessary secrets for this method. Multi-Factor Authentication connections aren’t supported. We advise that customers set up a Snowflake Service Account User for use with projects.