-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADAP-944] [Feature] Support secondary roles #803
Comments
Amazing to see that the feature I am looking for just now has been suggested merely 3 days ago... My use case is to be able to use dynamic data masking using the |
I would also like to see this feature added, as we have several teams using DBT and are implementing a Snowflake security model that will require the use of secondary roles. |
We'd love to see this feature as well. It's not ideal having a robust security model that takes advantage of secondary roles and pivoting to a less scalable workaround for adding new users to work in dbt in our transformation layer. |
My organization would also like this feature. |
IMO the way this should work is very similar to how dbt already supports I see I said this a while back: This requires us to fix two things in
|
Is this your first time submitting a feature request?
Describe the feature
This feature request is basically a re-opening of dbt-labs/dbt-core#449, but I thought I'd rephrase it slightly differently. It is also related to dbt-core dbt-labs/dbt-adapters#212.
It would be nice if dbt supported secondary roles for the Snowflake adapter. I'm imagining something like, in profiles.yml:
where
<value>
is something that can directly be pasted into the Snowflake querysuch as
none
,all
,role_name
, or a comma-separated list of role names.Describe alternatives you've considered
As a workaround, I've tried to use a pre-hook:
This almost works, but not quite for (at least) the following reasons:
dbt test
Who will this benefit?
Here is a use case that I think many people will be interested in.
dbt is great for easily switching environments with
--target
, and providing powerful tools like--defer
and state selection. This enables many projects to implement a CI/CD for their org's dbt projects, which include building the dbt project (probably with--defer --select state:modified+
) in an isolated "CI environment", say a dedicated databaseDBT_CI_TESTS
.In order for dbt to operate in
DBT_CI_TESTS
, a natural solution is to grant whichever role dbt is using RW privileges in that database. However this is not ideal because:DBT_CI_TESTS
during the CI tests, so that you have a strong guarantee that your prod environment won't be messed up.Secondary roles elegantly solve both these issues! Just put the usual role as the secondary role, and put as the primary role a dedicated role
DBT_CI_TESTS_RW
that only has RW access in DBT_CI_TESTS.Are you interested in contributing this feature?
Yes
Anything else?
No response
The text was updated successfully, but these errors were encountered: