Table: snowflake_account_grant - Query Snowflake Account Grants using SQL
Snowflake Account Grants are resources within Snowflake that allow you to manage and monitor permissions granted at the account level. These permissions can be granted to roles, users, or other entities within the Snowflake environment. The account grant includes details about the grantee, the granted on date, and the specific privilege granted.
Table Usage Guide
The snowflake_account_grant table provides insights into account-level permissions within Snowflake. As a Security Analyst, explore grant-specific details through this table, including the grantee name, granted on date, and privilege details. Utilize it to uncover information about permissions, such as who has been granted what privileges, when the privileges were granted, and the specifics of the privileges.
Examples
Basic info
Explore the details of your Snowflake account's access permissions to understand who has been granted what privileges, by whom, and when. This can help in maintaining security and compliance by ensuring appropriate access levels are maintained.
select name, privilege, grantee_name, granted_to, grant_option, created_onfrom snowflake_account_grant;select name, privilege, grantee_name, granted_to, grant_option, created_onfrom snowflake_account_grant;List privileges with the ACCOUNTADMIN role
Explore which privileges are associated with the account administrator role. This can be useful for understanding the level of access and permissions granted to this role within your Snowflake account.
select privilege, grant_option, created_onfrom snowflake_account_grantwhere grantee_name = 'ACCOUNTADMIN';select privilege, grant_option, created_onfrom snowflake_account_grantwhere grantee_name = 'ACCOUNTADMIN';Schema for snowflake_account_grant
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account | text | =, !=, ~~, ~~*, !~~, !~~* | The Snowflake account ID. |
| created_on | timestamp with time zone | Date and time privilege was granted. | |
| grant_option | boolean | If set to TRUE, the recipient role can grant the privilege to other roles. | |
| granted_by | text | Name of the object that granted access on the role. | |
| granted_on | text | Date and time when the access was granted. | |
| granted_to | text | Type of the object. | |
| grantee_name | text | Name of the object role has been granted. | |
| name | text | An entity to which access can be granted. Unless allowed by a grant, access will be denied. | |
| privilege | text | A defined level of access to an object. | |
| region | text | The Snowflake region in which the account is located. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- snowflakeYou can pass the configuration to the command with the --config argument:
steampipe_export_snowflake --config '<your_config>' snowflake_account_grant