Requesting Access

If you haven't already installed the Snowflake integration, start there.

Snowflake

Requesting from Slack

We'll start by requesting access in Snowflake via the p0 Slack Bot. If you haven't yet installed the Slack integration in your workspace, please do that first.

Slack

Once you've installed the Slack integration in your p0 app, you'll be able to make requests and approve/deny them directly inside of Slack.

Type /p0 request in Slack or use the "+" button and locate the p0 bot ("Request access with p0Bot"). This will pop up a modal. Choose Snowflake from the Resource type to continue.

Requesting an existing role in Snowflake

If you select "Role" from the "Access Type" dropdown, you should see this screen:

If you are unable to get to this screen, make sure you are added to Snowflake as a user (using the same email address as your Slack account).

From here, you just need to fill in this form in order to request access:

1. Role name: the name of the role you want.

2. User name: specify the user to grant this role to (if there is more than one user under your email address).

3. Reason: Tell the approvers why you need access. This info stays in p0 only.

Requesting specific query access in Snowflake

If you select "SQL Query" from the "Access Type" dropdown, you'll see this screen. This is how you can request access to run specific queries on one or more tables.

1. Query: enter the commands you want to run. Can include multiple commands if needed.

2. You must either use fully-qualified table names OR you need to fill in the two optional fields—default database and default schema. These defaults will be used wherever you use a non-qualified name, but you can also mix in fully-qualified names for other commands.

3. You will need to fill in the warehouse as well, unless you’ve configured a default warehouse in the p0 web app integrations page.

4. Reason: Tell the approvers why you need access. This info stays in p0 only.

5. User name: specify the user to grant this role to (if there is more than one user under your email address).

6. You can only read or write data to existing tables. You can’t create new tables or new databases. You also cannot execute a “truncate” command (delete all the rows in a table).

What happens next

Once you make the request, you should get a Slack message from the p0 bot showing your request. There will also be a message to the approvers in the Slack channel designated by your org admin, requesting access.

1. If your request is approved, when you get a message that it has been approved, that means you should already have access provisioned, as that happens all at the same time.

2. If you are on-call (on a PagerDuty schedule), and your org admin has enabled PagerDuty routing, your access may be automatically approved for 1 hour.

3. After your request is approved, there will be a “relinquish” button for you to let go of your permissions early if you finish what you wanted to do before the expiration date (so you can let go of unneeded permissions).

4. If you wait for the access to expire, you will get a message that it has expired once it does.

5. If your request is denied, you'll get a message letting you know.

Snowflake-specific next-steps

1. If you requested access to a SQL query, you will get a statement to execute in Snowflake that will give you access to a new role. You need to execute this prior to your query.