Access denied on service endpoint for a streamlit app using SPCS

Question

Working on creating a native application using Snowpark container service. I have created an application package and application.

When I am trying to open the service endpoint - app-url.snowflakecomputing.app it gives the below error -

Access denied. Insufficient privileges to use app-url.

The setup script as follow which creates a compute pool and service.

CREATE APPLICATION ROLE IF NOT EXISTS iqr_user;

CREATE SCHEMA IF NOT EXISTS core;
GRANT USAGE ON SCHEMA core TO APPLICATION ROLE iqr_user;

CREATE OR ALTER VERSIONED SCHEMA app_public;
GRANT USAGE ON SCHEMA app_public TO APPLICATION ROLE iqr_user;

-- Start App

CREATE OR REPLACE PROCEDURE app_public.start_app()
    RETURNS string
    LANGUAGE sql
    AS $$
BEGIN

    LET pool_name := (SELECT CURRENT_DATABASE()) || '_compute_pool';

   CREATE COMPUTE POOL IF NOT EXISTS IDENTIFIER(:pool_name)
      MIN_NODES = 1
      MAX_NODES = 1
      INSTANCE_FAMILY = CPU_X64_XS
      AUTO_RESUME = true;

   CREATE SERVICE IF NOT EXISTS core.iqr_service
    IN COMPUTE POOL identifier(:pool_name)
    FROM SPECIFICATION_FILE='service.yml';

    GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;

RETURN 'Service started. Check status, and when ready, get URL';
END;
$$;

GRANT USAGE ON PROCEDURE app_public.start_app() TO APPLICATION ROLE iqr_user;

What is the missing privilege that needs to be granted in order to fix this?

Answer 1

Found a solution for this. Create a service role in the service.yml file and grant the service role in the setup script to the application role.

There is a default service role available as well.

spec:
  containers:
    - name: iq
      image: /insta_spcs_db/app_schema/repo_stage/iqr_app_image
  endpoints:
    - name: iq
      port: 8501
      public: true
serviceRoles:
    - name: iq_service_role
      endpoints:
      - iq

setup script -

CREATE OR REPLACE PROCEDURE app_public.grant_callback(privileges array)
    RETURNS string
    LANGUAGE sql
    AS $$
BEGIN

    EXECUTE IMMEDIATE 'CREATE SERVICE IF NOT EXISTS core.iqr_service
    IN COMPUTE POOL iq_app_cp
    FROM SPECIFICATION_FILE=''' || '/service.yml' || '''
    QUERY_WAREHOUSE=iq_app_wh';

    GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;
    GRANT SERVICE ROLE core.iqr_service!iq_service_role TO APPLICATION ROLE iqr_user; 

RETURN 'Resources Created. Service started. Check status, and when ready, get URL';
END;
$$;

GRANT USAGE ON PROCEDURE app_public.grant_callback(array) TO APPLICATION ROLE iqr_user;