Convoluted way of permissions for streamlit app when deploying making it (near) unusable
Closed this issue · 5 comments
Description
I would like the streamlit app permissions to be able to be set a lot easier, directly after deploying the streamlit app. This can be done for example by a snowSQL query assigning permissions, or by having FUTURE GRANTS supported for streamlit apps. That way I can give the users who will be deploying the streamlit app also the access to view the streamlit app (from another role that is more widely accessible), and assign those permissions in an automated way without having to use an admin role in automations.
I tried to set FUTURE GRANTS on the streamlit schema so all streamlit apps in there could be viewed by a designated role, but that isn't supported. An additional difficulty is that redeploying a streamlit app (streamlit deploy --replace) resets the permissions on that app, even though the name of the streamlit app is the exact same.
This is how I deploy a streamilt app as part of a make target:
snow streamlit deploy \
--temporary-connection \
--replace \
--account $(SNOWFLAKE_ACCOUNT).$(SNOWFLAKE_REGION) \
--schema $(SNOWFLAKE_SCHEMA_STREAMLIT) \
--role $($(DBT_TARGET_UPPER)_SNOWFLAKE_ROLE_STREAMLIT) \
$(ECHO) "GRANT USAGE on STREAMLIT $($(DBT_TARGET_UPPER)_SNOWFLAKE_DATABASE).$(SNOWFLAKE_SCHEMA_STREAMLIT).$* to ROLE \
$(SNOWFLAKE_ROLE);" | snowflake-execute
With snowflake-execute being a script that sends queries to snowflake. This doesn't work because the role I use for the deployment is not the owner of the schema, the admin account is, and I don't want to use that in automations for obvious reasons.
Context
I want to use streamlit internally in a federated snowflake spaces setup, in order to give the different teams in the different spaces the capability to create streamlit apps, deploy them to snowflake, and send a query to snowflake to assign the permissions to view that streamlit app to different roles. As of now, that can only be done by the schema owner as we have managed access on the schema where we want the streamlit app to live, and that is a role we don't want to use in the automated deploy process for streamlit.
I really want this streamlit capability to work well, because I see the usefulness of it, and so do the analysts in our company. I just wish the permissions handling would be a lot better.
Hi @RobindeGrootNL, we have snow streamlit share command https://docs.snowflake.com/en/developer-guide/snowflake-cli-v2/streamlit-apps/manage-apps/share-app . Does this solve your problem or do you need something else?
@sfc-gh-astus Thank you for your quick response! I'll have a look at that! I'll update here in the near future how that went!
Unfortunately I am getting the following error, so I am afraid that the snow streamlit share feature does not support my environment.
SQL execution error: Not authorized in a managed access schema. Use the schema owner role or a role with the MANAGE GRANTS privilege.
As I don't want to use the admin account in CI/CD pipelines, I am afraid that this doesn't fix my problem. I'm starting to think that support for FUTURE GRANTS for streamlit apps might be the only way to get streamlit to work the way I want it to :(. I see that the share command just runs the following query: f"grant usage on streamlit {streamlit_name} to role {to_role}"
You could create schema dedicated for streamlit apps and give privileges to grant usage on streamlits. It will not require an admin account.
Unfortunately, there is no other way.
@sfc-gh-astus We have a schema where the streamlit app(s) will live, as well as their stage(s). We define all schemas with manage grants, so only the schema owner has the privileges to grant the usage on the created streamlit apps. The owner of all our schemas is a space admin role (and user) that we do not want to have the credentials in the CI pipeline for. I think that means that we probably have to find another way around this, or look into a different dashboard solution. Thank you very much for the responses and the help! 🙌