Working on creating a native application using Snowpark container service. I have created an application package and application.
When I am trying to open the service endpoint - app-url.snowflakecomputing.app it gives the below error -
Access denied. Insufficient privileges to use app-url.
The setup script as follow which creates a compute pool and service.
CREATE APPLICATION ROLE IF NOT EXISTS iqr_user;
CREATE SCHEMA IF NOT EXISTS core;
GRANT USAGE ON SCHEMA core TO APPLICATION ROLE iqr_user;
CREATE OR ALTER VERSIONED SCHEMA app_public;
GRANT USAGE ON SCHEMA app_public TO APPLICATION ROLE iqr_user;
-- Start App
CREATE OR REPLACE PROCEDURE app_public.start_app()
RETURNS string
LANGUAGE sql
AS $$
BEGIN
LET pool_name := (SELECT CURRENT_DATABASE()) || '_compute_pool';
CREATE COMPUTE POOL IF NOT EXISTS IDENTIFIER(:pool_name)
MIN_NODES = 1
MAX_NODES = 1
INSTANCE_FAMILY = CPU_X64_XS
AUTO_RESUME = true;
CREATE SERVICE IF NOT EXISTS core.iqr_service
IN COMPUTE POOL identifier(:pool_name)
FROM SPECIFICATION_FILE='service.yml';
GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;
RETURN 'Service started. Check status, and when ready, get URL';
END;
$$;
GRANT USAGE ON PROCEDURE app_public.start_app() TO APPLICATION ROLE iqr_user;
What is the missing privilege that needs to be granted in order to fix this?
Found a solution for this. Create a service role in the service.yml file and grant the service role in the setup script to the application role.
There is a default service role available as well.
spec:
containers:
- name: iq
image: /insta_spcs_db/app_schema/repo_stage/iqr_app_image
endpoints:
- name: iq
port: 8501
public: true
serviceRoles:
- name: iq_service_role
endpoints:
- iq
setup script -
CREATE OR REPLACE PROCEDURE app_public.grant_callback(privileges array)
RETURNS string
LANGUAGE sql
AS $$
BEGIN
EXECUTE IMMEDIATE 'CREATE SERVICE IF NOT EXISTS core.iqr_service
IN COMPUTE POOL iq_app_cp
FROM SPECIFICATION_FILE=''' || '/service.yml' || '''
QUERY_WAREHOUSE=iq_app_wh';
GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;
GRANT SERVICE ROLE core.iqr_service!iq_service_role TO APPLICATION ROLE iqr_user;
RETURN 'Resources Created. Service started. Check status, and when ready, get URL';
END;
$$;
GRANT USAGE ON PROCEDURE app_public.grant_callback(array) TO APPLICATION ROLE iqr_user;