Important: This feature is currently available in BETA.
This guide explains how to share a database and its objects with one or more accounts by creating a share. Currently, Keboola supports granting privileges directly to a share, specifically for tables, external tables, views, secure views, and secure materialized views. For further reference, consult the Snowflake documentation.
The process involves two roles:
As the producer, your role involves creating the share, adding the necessary database objects, and granting access to consumer accounts. Follow these steps to configure the share:
Use CREATE SHARE
to set up a share. Initially, the share is an empty container waiting for objects and accounts to be added.
CREATE SHARE <SHARE_NAME>;
Grant privileges using GRANT <privilege> ... TO SHARE
. You need to provide:
Example:
GRANT USAGE ON DATABASE <DATABASE_NAME> TO SHARE <SHARE_NAME>;
GRANT USAGE ON SCHEMA <DATABASE_NAME>.<SCHEMA_NAME> TO SHARE <SHARE_NAME>;
GRANT SELECT ON ALL TABLES IN DATABASE <DATABASE_NAME> TO SHARE <SHARE_NAME>;
GRANT SELECT ON ALL TABLES IN SCHEMA <DATABASE_NAME>.<SCHEMA_NAME> TO SHARE <SHARE_NAME>;
GRANT SELECT ON TABLE <DATABASE_NAME>.<SCHEMA_NAME>.<TABLE_NAME> TO SHARE <SHARE_NAME>;
To review object grants, use:
SHOW GRANTS TO SHARE <SHARE_NAME>;
Add one or more accounts to the share using ALTER SHARE
. To verify, use SHOW SHARES
.
ALTER SHARE <SHARE_NAME> ADD ACCOUNTS=<ACCOUNT_NAME>;
SHOW SHARES;
The share is now ready for consumption by the specified accounts. For detailed guidance, refer to Create and configure shares.
To use the shared data, follow these steps to create and configure a database from the provided share. Refer to the Snowflake documentation for more information.
To perform these tasks, use the ACCOUNTADMIN
role or a role with the IMPORT SHARE
global privilege. For more details, see Enable non-ACCOUNTADMIN roles to perform data sharing tasks.
Imported databases have the following restrictions:
Use the web interface or SQL to view available shares:
SHOW SHARES;
DESC SHARE <PRODUCER_ACCOUNT>.<SHARE_NAME>;
To consume shared data, create a database from the share:
CREATE DATABASE <CONSUMER_DATABASE_NAME> FROM SHARE <PRODUCER_ACCOUNT>.<SHARE_NAME>;
Keboola currently supports only shares with direct access to database objects. Shares with roles are not supported.
To allow users to access shared objects, grant the IMPORTED PRIVILEGES
privilege on the imported database to one or more roles in your account. A role can grant IMPORTED PRIVILEGES
only if it:
OWNERSHIP
privilege).MANAGE GRANTS
global privilege.Example:
GRANT IMPORTED PRIVILEGES ON DATABASE <CONSUMER_DATABASE_NAME> TO <KEBOOLA_PROJECT_ROLE>;
While sharing data can greatly enhance collaboration, certain object types and policies are not supported. Please keep the following limitations in mind:
You can now register the schema in the newly created database as an external dataset in Keboola, enabling seamless data integration. Use <CONSUMER_DATABASE_NAME>
as the database name and
the schema present in this database. When registering, don’t forget to check the Secure Data Share
checkbox.