Engineering & Admin
View

How to Grant Access

Onboarding someone to the RWD Snowflake accounts. Access is infrastructure-as-code: you don’t click around in Snowsight to create a user or hand out a role — you open a merge request and a Terraform apply provisions everything.

Onboarding a new user

1. Add the user to the Terraform config in accounts/rwd/{env}/teams/rwd/users.json for each environment:

users.json
{  "general_users": [    {      "display_name": "New User Name",      "email": "NEWUSER@NATERA.COM"    }  ]}

Rules: display_name is “First Last”; email is uppercase ending in @NATERA.COM.

2. Create an MR, get approval from another admin, and merge. CI/CD runs Terraform apply, creates the Snowflake user, and provisions the Okta SSO tile. 3. Assign roles in the RBAC YAML; 4. Run the RBAC engine:

bash
DOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main --dry-run  # preview SQLDOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main            # execute

Granting additional roles

For an existing user, skip the Terraform steps. Edit only the RBAC YAML (add the email under the role) and run the engine.

Creating service users

Add to users.json under the service_users section. If a vend_role is provided, Terraform creates a dedicated role and assigns it; otherwise the user receives PUBLIC only.

json
{  "service_users": [    {      "name": "MY_SERVICE_USER",      "vend_role": "MY_CUSTOM_ROLE",      "comment": "Description of what this service user does"    }  ]}

Key-pair authentication

For programmatic access, generate an RSA key pair:

bash
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM \  -out ~/.ssh/snowflake_rsa_key.p8 -nocryptopenssl rsa -in ~/.ssh/snowflake_rsa_key.p8 -pubout \  -out ~/.ssh/snowflake_rsa_key.pub

An admin then attaches the public key to the Snowflake user.