Service Accounts
Using Service Accounts#
Jobs in Datameer always run with an associated Environment which defines how the Job can interact with Snowflake including:
- the Snowflake User identity (including credentials)
- the Snowflake Role
- the Snowflake Warehouse
In situations where it is desired to use shared identities to execute workloads, Administrators can set up a Service Account in Datameer. This allows end users to create and execute jobs in an environment without having to share credentials with the end user.
Job Service Account vs Single User Snowflake Connection
Note that the Service Account entities within the Jobs module are not related to the main connection used in Single User mode. However, the same Snowflake user identity can be used as the Single User connection and as a Service Acccount. In general, the intention is for Job Service Accounts to be reusable identities that allow users to operationalize Jobs in a protected environment where it is not desired to share credentials with the end users. This is a separate concern from Single User mode.
Sharing Model#
Service Accounts can only be created by a Datameer Admin user and then become available for use in creating Environments.
Access to Environments is controlled based on the end user's current Snowflake Role. Only Datameer users that have been authenticated to Snowflake and are using the role defined in an environment can execute jobs or manipulate that environment.
Throughout the Jobs module, all access is filtered via this mechanism, so end user access to Job Environments is wholly controlled by Snowflake Role Based Access Control (RBAC) and can be managed entirely within Snowflake.
Creating Service Accounts#
To create a new Service Account:
-
Click on "+ Create new service account...". The dialog 'Create New Service Account' opens.
-
Enter the Snowflake username and the Snowflake password to use for the Service Account.
-
Enter a Name and Description that explains the purpose of the Service Account.
-
Confirm your configuration with "Apply".
Editing Service Accounts#
To edit an existing Service Account:
-
Select the Service Account and Click on "+ Edit account..." button in the Inspector.
-
Update the configuration.
-
Confirm your configuration with "Apply".
Deleting a Service Account#
To delete a existing Service Account:
-
Select the Service Account and Click on "+ Delete account..." button in the Inspector.
-
Confirm your deletion with long press on the Delete Service Account button.
Using a Service Account in an Environment#
-
Select the "Service Account" radio button and select the desired account from the list.