The creation of a dedicated Shadowfax role in the Snowflake account aims to limit the compute warehouse that can be used by the agent, limit the scope of data that can be read by the agent, and allow the agent to create objects inside its own sandbox database.
First, create the SHADOWFAX role and transfer its ownership to the sysadmin role:
CREATE ROLE IF NOT EXISTS SHADOWFAX COMMENT = "Shadowfax AI data engineer";
GRANT OWNERSHIP ON ROLE SHADOWFAX TO SYSADMIN COPY CURRENT GRANTS;Create a dedicated database for the Shadowfax agent's development environment:
CREATE DATABASE IF NOT EXISTS SHADOWFAX;
GRANT OWNERSHIP ON DATABASE SHADOWFAX TO SHADOWFAX COPY CURRENT GRANTS;
GRANT OWNERSHIP ON SCHEMA SHADOWFAX.PUBLIC TO SHADOWFAX COPY CURRENT GRANTS;Assign a minimal extra small warehouse with optimized auto suspend settings:
CREATE WAREHOUSE IF NOT EXISTS SHADOWFAX_WH WAREHOUSE_SIZE = 'XSMALL'
AUTO_SUSPEND = 30 AUTO_RESUME = TRUE;
GRANT USAGE ON WAREHOUSE SHADOWFAX_WH TO SHADOWFAX;For each source database containing relevant data, grant read-only permissions:
# Allow Shadowfax to see the source database
GRANT USAGE ON DATABASE "<database>" TO SHADOWFAX;
# Allow Shadowfax to see source data schemas
GRANT USAGE ON SCHEMA "<database>"."<source_schema>" TO SHADOWFAX;
# Allow Shadowfax to see source schema tables and views
GRANT SELECT ON ALL TABLES IN SCHEMA "<database>"."<source_schema>" TO SHADOWFAX;
GRANT SELECT ON FUTURE TABLES IN SCHEMA "<database>"."<source_schema>" TO SHADOWFAX;
GRANT SELECT ON ALL VIEWS IN SCHEMA "<database>"."<source_schema>" TO SHADOWFAX;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA "<database>"."<source_schema>" TO SHADOWFAX;Finally, grant the Shadowfax role to either the service account user or an OAuth user:
GRANT ROLE SHADOWFAX TO USER <SHADOWFAX_SERVICE_USER>;