How to Grant Access
Onboarding someone to the RWD Snowflake accounts. Access is infrastructure-as-code: you don’t click around in Snowsight to create a user or hand out a role — you open a merge request and a Terraform apply provisions everything.
Onboarding a new user
1. Add the user to the Terraform config in accounts/rwd/{env}/teams/rwd/users.json for each environment:
{ "general_users": [ { "display_name": "New User Name", "email": "NEWUSER@NATERA.COM" } ]}Rules: display_name is “First Last”; email is uppercase ending in @NATERA.COM.
2. Create an MR, get approval from another admin, and merge. CI/CD runs Terraform apply, creates the Snowflake user, and provisions the Okta SSO tile. 3. Assign roles in the RBAC YAML; 4. Run the RBAC engine:
DOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main --dry-run # preview SQLDOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main # executeGranting additional roles
For an existing user, skip the Terraform steps. Edit only the RBAC YAML (add the email under the role) and run the engine.
Creating service users
Add to users.json under the service_users section. If a vend_role is provided, Terraform creates a dedicated role and assigns it; otherwise the user receives PUBLIC only.
{ "service_users": [ { "name": "MY_SERVICE_USER", "vend_role": "MY_CUSTOM_ROLE", "comment": "Description of what this service user does" } ]}Key-pair authentication
For programmatic access, generate an RSA key pair:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM \ -out ~/.ssh/snowflake_rsa_key.p8 -nocryptopenssl rsa -in ~/.ssh/snowflake_rsa_key.p8 -pubout \ -out ~/.ssh/snowflake_rsa_key.pubAn admin then attaches the public key to the Snowflake user.