Managing Reader Accounts

Reader accounts (formerly known as “read-only accounts”) enable providers to share data with consumers who are not already Snowflake customers, without requiring the consumers to become Snowflake customers.

Note

All of the tasks described in this topic must be performed using the ACCOUNTADMIN role (or a role granted the CREATE ACCOUNT global privilege).

In this Topic:

Overview

A reader account enables data consumers to access and query data shared by the provider of the account, with no setup or usage costs for the consumer, and no requirements for the consumer to sign a licensing agreement with Snowflake.

The reader account is created, owned, and managed by the provider account, which assumes all responsibility for credit charges incurred by users in the reader account.

What is Restricted/Allowed in a Reader Account?

A reader account is intended primarily for querying data shared by the provider of the account. Adding new data to the account and/or updating shared data in the account is not supported. As such, the following DML and DDL commands are not allowed:

All other operations are allowed.

Who Provides Support for a Reader Account?

Because a reader account does not have a licensing agreement with Snowflake, standard support services are not available to the general users in the account. Instead, as the provider of the account, you field questions and requests from users in the account and respond as appropriate.

If you are unable to directly answer their questions or resolve their requests/issues, you can open a Snowflake Customer Support ticket through the normal channels (as outlined in your support agreement). Once a response has been provided by Snowflake Customer Support, you then communicate the information back to the appropriate users in the reader account.

Reader Account DDL

To enable creating and managing reader accounts, Snowflake provides a first-class object, MANAGED ACCOUNT, that supports the following DDL commands:

Enabling Other Roles to Create and Manage Reader Accounts

By default, only users with the ACCOUNTADMIN role can create reader accounts and therefore, as the owner of the account, manage the accounts. To support delegating these tasks to other users, the CREATE ACCOUNT global privilege can be granted to other roles (system-defined or custom). Then, users with the role can create reader accounts and perform all tasks associated with managing the accounts created using the role.

For example, to grant the privilege to the SYSADMIN role:

USE ROLE ACCOUNTADMIN;

GRANT CREATE ACCOUNT ON ACCOUNT TO ROLE SYSADMIN;

Creating a Reader Account

To create a reader account, use the ACCOUNTADMIN role (or a role granted the CREATE ACCOUNT global privilege) and the CREATE MANAGED ACCOUNT command.

In the command, specify the identifier for the account and the user who will serve as the administrator for the account. For example:

USE ROLE ACCOUNTADMIN;

CREATE MANAGED ACCOUNT reader_acct1
    ADMIN_NAME = user1 , ADMIN_PASSWORD = 'Sdfed43da!44' ,
    TYPE = READER;

+-------------------------------------------------------------------------------+
| status                                                                        |
|-------------------------------------------------------------------------------|
| {"accountName":"RE47190","loginUrl":"https://re47190.snowflakecomputing.com"} |
+-------------------------------------------------------------------------------+

Note:

  • The identifier specified for the reader account (reader_acct1 in this example) is not the name used to access the account. The account name, also known as the locator, is generated by Snowflake during account creation (RE47190 in this example).
  • The reader account utilizes the same Snowflake Edition as the provider account and is created in the same Snowflake Region.
  • By default, the total number of reader accounts a provider can create is 20. If you reach the limit and require creating additional accounts, please contact Snowflake Support.

Important

After creating a reader account, the following additional tasks must be performed before the account is ready to use:

  1. Add the account to one or more shares so that the objects in the shares (databases, schemas, tables, secure views, etc.) can be shared with the account.
  2. Configure the account.

Dropping a Reader Account

To drop a reader account, use the DROP MANAGED ACCOUNT command. For example:

USE ROLE ACCOUNTADMIN;

DROP MANAGED ACCOUNT reader_acct1;

Attention

Dropping a reader account drops all the objects created in the account and immediately restricts all access to the account. It also removes the account from your total number of reader accounts.

This operation can not be undone. Before you drop a reader account, please take this into consideration.

Viewing Reader Accounts

To view all the reader accounts that have been created for your account, use the SHOW MANAGED ACCOUNTS command. For example:

USE ROLE ACCOUNTADMIN;

SHOW MANAGED ACCOUNTS;

This command can be used to monitor the total number of reader accounts for your account. If the total number reaches the limit (20), you may need to drop some accounts or contact Snowflake Support to request the limit be increased.

In addition, you can use the views in the READER_ACCOUNT_USAGE schema (in the SNOWFLAKE shared database) to view information about the reader accounts created for your account. For more details, see Account Usage.