Search code examples
databasepermissionsclonesnowflake-cloud-data-platform

Cannot CLONE a database because of permissions in snowflake

Created a user called DEV_USER belong to role DEV_ROLE.

GRANT USAGE ON WAREHOUSE MYWH TO ROLE DEV_ROLE;
CREATE USER DEV_USER PASSWORD = 'secrets' COMMENT = 'Dev User' LOGIN_NAME = 'DEV_USER' DISPLAY_NAME = 'Development Only User' DEFAULT_ROLE = 'DEV_ROLE'  DEFAULT_WAREHOUSE = 'MYWH' MUST_CHANGE_PASSWORD = FALSE;
ALTER USER DEV_USER SET DEFAULT_NAMESPACE = 'PUBLIC';
GRANT ROLE DEV_ROLE TO USER DEV_USER;
GRANT ROLE DEV_ROLE TO USER MYUSERACCT;
GRANT ALL ON DATABASE DEV_DB TO ROLE DEV_ROLE WITH GRANT OPTION;
GRANT ALL ON DATABASE "DEV_DB" TO ROLE "DEV_ROLE" WITH GRANT OPTION;
GRANT ALL ON SCHEMA "DEV_DB"."PUBLIC" TO ROLE "DEV_ROLE"  WITH GRANT OPTION;

I log in with MYUSERACCT. I default to the DEV_ROLE. I go to DATABASES and try to clone the DEV_DB to DEV_DB_CLONE but get the following error:

Unable to create database DEV_DB_CLONE. SQL access control error: Insufficient privileges to operate on account 'XX12345'

Obviously it will work if I set my user to SYSADMIN or ACCOUNTADMIN. But I need it to CLONE when I'm set to DEV_ROLE.

What am I missing?

Solution

  • security access control privileges says for clone you need the global privileges of CREATE DATABASE via a role

    CREATE USER DEV_USER1 PASSWORD = 'secrets' COMMENT = 'Dev User' LOGIN_NAME = 'DEV_USER' DISPLAY_NAME = 'Development Only User';
CREATE ROLE CLONE_ROLE;
GRANT CREATE DATABASE ON ACCOUNT TO ROLE CLONE_ROLE;
GRANT ROLE CLONE_ROLE TO USER DEV_USER1;

DROP USER DEV_USER1;
DROP ROLE CLONE_ROLE;