turbot/snowflake
steampipe plugin install snowflake

Table: snowflake_account_grant - Query Snowflake Account Grants using SQL

Snowflake Account Grants are resources within Snowflake that allow you to manage and monitor permissions granted at the account level. These permissions can be granted to roles, users, or other entities within the Snowflake environment. The account grant includes details about the grantee, the granted on date, and the specific privilege granted.

Table Usage Guide

The snowflake_account_grant table provides insights into account-level permissions within Snowflake. As a Security Analyst, explore grant-specific details through this table, including the grantee name, granted on date, and privilege details. Utilize it to uncover information about permissions, such as who has been granted what privileges, when the privileges were granted, and the specifics of the privileges.

Examples

Basic info

Explore the details of your Snowflake account's access permissions to understand who has been granted what privileges, by whom, and when. This can help in maintaining security and compliance by ensuring appropriate access levels are maintained.

select
name,
privilege,
grantee_name,
granted_to,
grant_option,
created_on
from
snowflake_account_grant;
select
name,
privilege,
grantee_name,
granted_to,
grant_option,
created_on
from
snowflake_account_grant;

List privileges with the ACCOUNTADMIN role

Explore which privileges are associated with the account administrator role. This can be useful for understanding the level of access and permissions granted to this role within your Snowflake account.

select
privilege,
grant_option,
created_on
from
snowflake_account_grant
where
grantee_name = 'ACCOUNTADMIN';
select
privilege,
grant_option,
created_on
from
snowflake_account_grant
where
grantee_name = 'ACCOUNTADMIN';

Schema for snowflake_account_grant

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
accounttext=, !=, ~~, ~~*, !~~, !~~*The Snowflake account ID.
created_ontimestamp with time zoneDate and time privilege was granted.
grant_optionbooleanIf set to TRUE, the recipient role can grant the privilege to other roles.
granted_bytextName of the object that granted access on the role.
granted_ontextDate and time when the access was granted.
granted_totextType of the object.
grantee_nametextName of the object role has been granted.
nametextAn entity to which access can be granted. Unless allowed by a grant, access will be denied.
privilegetextA defined level of access to an object.
regiontextThe Snowflake region in which the account is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- snowflake

You can pass the configuration to the command with the --config argument:

steampipe_export_snowflake --config '<your_config>' snowflake_account_grant