# How to Grant Access

Onboarding someone to the RWD Snowflake accounts. Access is infrastructure-as-code: you don’t click around in Snowsight to create a user or hand out a role — you open a merge request and a Terraform apply provisions everything.

> **Two files, one repo**
>
> Edits land in two places in the `ndp-account-request` repo: the user is declared in a Terraform `users.json` file, and role grants are declared in an RBAC YAML file that a separate engine reconciles against live Snowflake.

## Onboarding a new user

1. Add the user to the Terraform config in `accounts/rwd/{env}/teams/rwd/users.json` for each environment:

```json
{
  "general_users": [
    {
      "display_name": "New User Name",
      "email": "NEWUSER@NATERA.COM"
    }
  ]
}
```

Rules: `display_name` is “First Last”; `email` is uppercase ending in `@NATERA.COM`.

2. Create an MR, get approval from another admin, and merge. CI/CD runs Terraform apply, creates the Snowflake user, and provisions the Okta SSO tile. 3. Assign roles in the RBAC YAML; 4. Run the RBAC engine:

```bash
DOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main --dry-run  # preview SQL
DOMAIN=rwd STAGE=production python -m access_control.rbac_utils.main            # execute
```

## Granting additional roles

For an existing user, skip the Terraform steps. Edit only the RBAC YAML (add the email under the role) and run the engine.

## Creating service users

Add to `users.json` under the `service_users` section. If a `vend_role` is provided, Terraform creates a dedicated role and assigns it; otherwise the user receives `PUBLIC` only.

```json
{
  "service_users": [
    {
      "name": "MY_SERVICE_USER",
      "vend_role": "MY_CUSTOM_ROLE",
      "comment": "Description of what this service user does"
    }
  ]
}
```

## Key-pair authentication

For programmatic access, generate an RSA key pair:

```bash
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM \
  -out ~/.ssh/snowflake_rsa_key.p8 -nocrypt
openssl rsa -in ~/.ssh/snowflake_rsa_key.p8 -pubout \
  -out ~/.ssh/snowflake_rsa_key.pub
```

An admin then attaches the public key to the Snowflake user.

> **Drift detection**
>
> Compare YAML-defined state against live Snowflake with `--drift-only`; validate YAML structure without connecting using `python -m access_control.rbac_utils.yaml_validation`.
