Skip to content

Requirements

Infrastructure

  • CI/CD Pipeline (for automated deployment)
    • Azure DevOps, GitHub Actions, or similar
    • See example pipelines in docs/example-pipelines/
    • Build service needs read access to git repository for change tracking
  • Git Repository
    • Stores database metadata and functional role configuration
    • Uses git tags for change tracking between deployments
  • Python Environment
    • Python 3.11 or higher
    • Package dependencies managed via pyproject.toml

Snowflake Technical User

A Snowflake technical/service user with appropriate privileges is required for deployment:

Required Privileges

  1. Role Management

  2. CREATE ROLE ON ACCOUNT - To create new roles

  3. Grant Management (choose one approach)

  4. Option A: MANAGE GRANTS ON ACCOUNT - Allows granting any privilege

  5. Option B: Ownership on all managed databases and schemas

  6. Metadata Access (choose one approach)

  7. Option A: SYSADMIN role - Full access to all objects

  8. Option B: Minimal access - USAGE ON DATABASE, USAGE ON SCHEMA, SELECT on at least one table per schema

  9. Warehouse Access

  10. USAGE privilege on a warehouse (XS size is sufficient)

Connection Configuration

The deployer uses the cloe_util_snowflake_connector package for Snowflake connections. This connector supports both password-based and key pair authentication.

Required Environment Variables:

  • CLOE_SNOWFLAKE_USER - Technical user name
  • CLOE_SNOWFLAKE_ACCOUNT - Account identifier (e.g., mycompany.west-europe.azure)
  • CLOE_SNOWFLAKE_WAREHOUSE - Warehouse for executing DDL statements

Authentication (choose one method):

  • CLOE_SNOWFLAKE_PASSWORD - Password authentication (simpler, but being deprecated by Snowflake)
  • CLOE_SNOWFLAKE_PRIVATE_KEY or CLOE_SNOWFLAKE_PRIVATE_KEY_FILE - Key pair authentication (recommended for production)

Optional:

  • CLOE_SNOWFLAKE_ROLE - Role to use; defaults to user's default role
  • CLOE_SNOWFLAKE_DATABASE - Default database context
  • CLOE_SNOWFLAKE_SCHEMA - Default schema context

Note: For detailed connector documentation including key pair authentication setup, see the cloe_util_snowflake_connector package documentation.

Permissions example

USE ROLE SECURITYADMIN;
CREATE USER U_T_CLOE_PERMISSIONS WITH PASSWORD = '';
CREATE ROLE R_T_CLOE_PERMISSIONS;
GRANT ROLE R_T_CLOE_PERMISSIONS TO ROLE ACCOUNTADMIN;
GRANT ROLE R_T_CLOE_PERMISSIONS TO USER U_T_CLOE_PERMISSIONS;
GRANT MANAGE GRANTS ON ACCOUNT TO ROLE R_T_CLOE_PERMISSIONS;
GRANT CREATE ROLE ON ACCOUNT TO ROLE R_T_CLOE_PERMISSIONS;
GRANT ROLE SYSADMIN TO ROLE R_T_CLOE_PERMISSIONS;
USE ROLE SYSADMIN;
CREATE WAREHOUSE WH_CLOE_PERMISSIONS WITH WAREHOUSE_SIZE=XSMALL INITIALLY_SUSPENDED=TRUE;
GRANT USAGE ON WAREHOUSE WH_CLOE_PERMISSIONS TO ROLE R_T_CLOE_PERMISSIONS;