skip to Main Content

Working on creating a native application using Snowpark container service. I have created an application package and application.

When I am trying to open the service endpoint – app-url.snowflakecomputing.app it gives the below error –

Access denied. Insufficient privileges to use app-url.

The setup script as follow which creates a compute pool and service.

CREATE APPLICATION ROLE IF NOT EXISTS iqr_user;

CREATE SCHEMA IF NOT EXISTS core;
GRANT USAGE ON SCHEMA core TO APPLICATION ROLE iqr_user;

CREATE OR ALTER VERSIONED SCHEMA app_public;
GRANT USAGE ON SCHEMA app_public TO APPLICATION ROLE iqr_user;

-- Start App

CREATE OR REPLACE PROCEDURE app_public.start_app()
    RETURNS string
    LANGUAGE sql
    AS $$
BEGIN

    LET pool_name := (SELECT CURRENT_DATABASE()) || '_compute_pool';

   CREATE COMPUTE POOL IF NOT EXISTS IDENTIFIER(:pool_name)
      MIN_NODES = 1
      MAX_NODES = 1
      INSTANCE_FAMILY = CPU_X64_XS
      AUTO_RESUME = true;

   CREATE SERVICE IF NOT EXISTS core.iqr_service
    IN COMPUTE POOL identifier(:pool_name)
    FROM SPECIFICATION_FILE='service.yml';

    GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;

RETURN 'Service started. Check status, and when ready, get URL';
END;
$$;

GRANT USAGE ON PROCEDURE app_public.start_app() TO APPLICATION ROLE iqr_user;

What is the missing privilege that needs to be granted in order to fix this?

2

Answers


  1. Chosen as BEST ANSWER

    Found a solution for this. Create a service role in the service.yml file and grant the service role in the setup script to the application role.

    There is a default service role available as well.

    spec:
      containers:
        - name: iq
          image: /insta_spcs_db/app_schema/repo_stage/iqr_app_image
      endpoints:
        - name: iq
          port: 8501
          public: true
    serviceRoles:
        - name: iq_service_role
          endpoints:
          - iq
    

    setup script -

    CREATE OR REPLACE PROCEDURE app_public.grant_callback(privileges array)
        RETURNS string
        LANGUAGE sql
        AS $$
    BEGIN
    
        EXECUTE IMMEDIATE 'CREATE SERVICE IF NOT EXISTS core.iqr_service
        IN COMPUTE POOL iq_app_cp
        FROM SPECIFICATION_FILE=''' || '/service.yml' || '''
        QUERY_WAREHOUSE=iq_app_wh';
    
        GRANT USAGE ON SERVICE core.iqr_service TO APPLICATION ROLE iqr_user;
        GRANT SERVICE ROLE core.iqr_service!iq_service_role TO APPLICATION ROLE iqr_user; 
    
    RETURN 'Resources Created. Service started. Check status, and when ready, get URL';
    END;
    $$;
    
    GRANT USAGE ON PROCEDURE app_public.grant_callback(array) TO APPLICATION ROLE iqr_user;
    

  2. I have the exact same issue. A service I create outside of the app works, but not the one inside the app. Does anybody have a solution for it? Or a way to debug this?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search