You create a storage integration, tell us what service account your GCP Snowflake uses, create a database role with permissions, create a user for us, and we're off to the races.

Storage integration and associated service account

We need to know the GCP service account that your Snowflake instance uses to write to Google Cloud Storage for export. First, set us up an integration:

CREATE STORAGE INTEGRATION fdy_gcs_integration
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = GCS
ENABLED = TRUE
STORAGE_ALLOWED_LOCATIONS = ('*')

Then, determine its service account like this:

DESC STORAGE INTEGRATION fdy_gcs_integration;

Look for STORAGE_GCP_SERVICE_ACCOUNT. What we need is something that looks like this:

service-account-id@project1-123456.iam.gserviceaccount.com

Database role

We need a database role with various permissions:

CREATE ROLE faraday_read_only;

GRANT USAGE
ON INTEGRATION fdy_gcs_integration
TO ROLE faraday_read_only;

GRANT USAGE
ON WAREHOUSE my_warehouse
TO ROLE faraday_read_only;

GRANT USAGE
ON DATABASE my_database
TO ROLE faraday_read_only;

GRANT USAGE
ON SCHEMA my_database.my_schema
TO ROLE faraday_read_only;

GRANT SELECT
ON ALL TABLES IN SCHEMA my_database.my_schema
TO ROLE faraday_read_only;

Database user

We need a database user with keypair authentication using our public key:

CREATE USER faraday_read_only_user;

GRANT ROLE faraday_read_only TO USER faraday_read_only_user;

ALTER USER faraday_read_only_user SET RSA_PUBLIC_KEY='MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAveZjTXJEJzFSUqrw/U1u
OBEzdNXWf19AzcTl5r1UOyTOjC5iHhi3BFPE0oYwCdpo1aYmkJqunzzaMCHexS4T
TxStCfxpFwV2gjB2SvT+eIE6e3HM8uizuWv9ENYW8r5pGUkwsOcg9jQKm017IfUG
iSQeZkllX1ZZRxPb/pjim4uyWU49WNeF/hr0kIpd6I/r2Pph7UmOxbuTGpb9wkko
bsoevjGVjzlhQOFZc6roYMBVLXkGiJTVMHX9eKa/QRf1KQMmM5VwWaRGO7VUx6+r
pZHQvNXDfMaY3gErx5UsCq3xxhqTV07T4IuCP1C7vPIhn5/xJBxR/yv6x9hS/Czn
07IPhCL3WRFa2OMCeHwnw90J10aNqAJmWrMccbC6VIInK6Vv/rbpOYfhsI4Wu9PJ
Ia6cm4g1kv2Mz7m7VhHpZAVIPKLxg0E7bsNQjx+XxfSV3dyq2kblKs+Ki5J2JUFw
hhMKTGiEDO2rxbnqKAiOEUlFpi9RbS+lWep+rREvj0XTE3f4rV+i3JdgeyACJ+Ua
uqCaVbmFPWtKca7D1bSwBnvf6TURSK2FLhHFC80NRMNXi3fkakL8y7XrmVBttzg3
wdVq+g/+DtYsmtb/Z+pcm1joGsLt3lyKUc6/w/1fbZi+svDhW2E7JvijuBmNgSSO
Q3Zs5aVfZyX2Hn/b35UmZtUCAwEAAQ==';

Did this answer your question?