Configure and test service endpoint privileges¶
Introduction¶
In Tutorial 1, you use the same role to create and test a service. The role that creates the service is the service’s owner role, so you’re able to communicate with the service using that role.
In this tutorial, you explore using a different role to communicate with the service.
You grant this role the USAGE privilege using a service role that you define in the service specification.
In this tutorial, you modify the Tutorial 1 as follows:
Create a new role that you will use to communicate with the service.
Modify the service specification as follows:
Define two endpoints, instead of just one endpoint. Note that the second endpoint is added only to demonstrate how endpoint permissions work.
Define a service role that is allowed to access only one of the two endpoints.
Grant the service role to the new role you created to allow access to one of the service endpoints.
Use the new role to communicate with the service endpoint.
Prepare¶
Follow Common Setup with the following modifications:
Complete the common setup steps.
Using the ACCOUNTADMIN role, execute the following script to create another role (
service_function_user_role
), replacinguser_name
with the name of your Snowflake user. After creating the echo service, you use this role to communicate with the service.USE ROLE ACCOUNTADMIN; CREATE ROLE service_function_user_role; GRANT ROLE service_function_user_role TO USER <user-name>; GRANT USAGE ON WAREHOUSE tutorial_warehouse TO ROLE service_function_user_role;
Follow Tutorial 1, steps 1 and 2, to build and upload an image to a repository in your account. Do not proceed with step 3 because you will create the service as part of this tutorial.
Create a service¶
To ensure you’re in the right context for the SQL statements in this step, execute the following:
USE ROLE test_role; USE DATABASE tutorial_db; USE SCHEMA data_schema; USE WAREHOUSE tutorial_warehouse;
To create the service, execute the following command using
test_role
(the service’s owner role).CREATE SERVICE echo_service IN COMPUTE POOL tutorial_compute_pool FROM SPECIFICATION $$ spec: containers: - name: echo image: /tutorial_db/data_schema/tutorial_repository/my_echo_service_image:latest env: SERVER_PORT: 8000 CHARACTER_NAME: Bob readinessProbe: port: 8000 path: /healthcheck endpoints: - name: echoendpoint port: 8000 public: true - name: echoendpoint2 port: 8002 public: true serviceRoles: - name: echoendpoint_role endpoints: - echoendpoint $$;
Per the inline specification, the
echo_service
exposes two public endpoints but the service role (echoendpoint_role
) grants USAGE privilege only on one of the endpoints.Verify the service is running.
SHOW SERVICES; SHOW SERVICE CONTAINERS IN SERVICE echo_service; DESCRIBE SERVICE echo_service;
Using
test_role
(the service’s owner role), grant the service role defined in the specification to the new role (service_function_user_role
) you created as part of the common setup. Also grant USAGE privileges on the database and the schema.USE ROLE test_role; USE DATABASE tutorial_db; USE SCHEMA data_schema; GRANT USAGE ON DATABASE tutorial_db TO ROLE service_function_user_role; GRANT USAGE ON SCHEMA data_schema TO ROLE service_function_user_role; GRANT SERVICE ROLE echo_service!echoendpoint_Role TO ROLE service_function_user_role;
This service role grants the
service_function_user_role
USAGE privilege on theechoendpoint
endpoint.To demonstrate that the service role name is case in-sensitive, the example uses the
echoendpoint_Role
role name.
Use the service¶
Create a service function to communicate with the service. You create a service function using the service_function_user_role
(not the service’s owner role) and use the service.
Create a service function.
USE ROLE service_function_user_role; CREATE OR REPLACE FUNCTION my_echo_udf_try1 (InputText VARCHAR) RETURNS varchar SERVICE=echo_service ENDPOINT=echoendpoint AS '/echo';
Try creating another service function that refers to the
echoservice2
endpoint for which the role has no access privilege. Therefore, the command should fail.CREATE OR REPLACE FUNCTION my_echo_udf_try2 (InputText varchar) RETURNS varchar SERVICE=echo_service ENDPOINT=echoendpoint2 AS '/echo';
Use the service function.
SELECT my_echo_udf_try1('Hello');
Clean up¶
To remove the resources you created, follow the steps in Tutorial 1 steps to clean up other resources created in Tutorial 1.
What’s next?¶
Now that you’ve completed this tutorial, you can return to Working with Services to explore other topics.