You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When importing a resource, for example by running $ terraform import snowflake_user.<username> <USERNAME> , it does not appear to honor the role used in the resource's provider.
Steps to Reproduce
Create a user in Snowflake:
USE ROLE "SECURITYADMIN";
CREATEUSERCANNOTIMPORTME PASSWORD ='<password goes here>';
Create a terraform file with a provider alias using the appropriate role
# main.tfprovider"snowflake" {
version="~> 0.10"account="<account name here>"role="SYSADMIN"
}
provider"snowflake" {
alias="securityadmin"version="~> 0.10"account="<account name here>"role="SECURITYADMIN"
}
resource"snowflake_user""cannot_import_me" {
provider="snowflake.securityadmin"name="CANNOTIMPORTME"default_role="${snowflake_role.<roleresource>.name}"default_warehouse="${snowflake_warehouse.<warehouseresource>.name}"default_namespace="${snowflake_database.<databaseresource>.name}"comment="something something"
}
( do the usual terraform setup, install the provider plugin, terraform init etc)
Import the user
$ terraform import snowflake_user.cannot_import_me CANNOTIMPORTME
snowflake_user.cannot_import_me: Importing from ID "CANNOTIMPORTME"...
snowflake_user.cannot_import_me: Import complete!
Imported snowflake_user (ID: CANNOTIMPORTME)
snowflake_user.cannot_import_me: Refreshing state... (ID: CANNOTIMPORTME)
Error: snowflake_user.cannot_import_me (import id: CANNOTIMPORTME): 1 error occurred:
* import snowflake_user.cannot_import_me result: CANNOTIMPORTME: snowflake_user.cannot_import_me: 003001 (42501): SQL access control error:
Insufficient privileges to operate on account '<account name goes here>'
Attempts to Resolve
The error Insufficient privileges to operate on account occurs because the user is owned by SECURITYADMIN, and terraform import is using the main snowflake provider, not the aliased provider snowflake.securityadmin
I tried setting the environment variable export SNOWFLAKE_ROLE=SECURITYADMIN but it made no difference
I tried changing my snowsql config role to SECURITYADMIN and it made no difference
I tried changing the role of the main provider, and it imported successfully:
provider"snowflake" {
version="~> 0.10"account="<account name here>"role="SECURITYADMIN"
}
Next Steps
Given the way Snowflake provider encapsulates the role used to connect, it is something unique to the Snowflake provider and not Terraform generally.
What Role do you recommend using in the main provider? It feels like ACCOUNTADMIN is too privileged for Terraform use.
The text was updated successfully, but these errors were encountered:
@davehowell As far as I can tell, this is a limitation of Terraform itself. This issue seems to indicate this is true and that you should supply the -provider argument to terraform import to work around it.
When importing a resource, for example by running
$ terraform import snowflake_user.<username> <USERNAME>
, it does not appear to honor the role used in the resource's provider.Steps to Reproduce
( do the usual terraform setup, install the provider plugin, terraform init etc)
Attempts to Resolve
The error
Insufficient privileges to operate on account
occurs because the user is owned by SECURITYADMIN, andterraform import
is using the mainsnowflake
provider, not the aliased providersnowflake.securityadmin
I tried setting the environment variable
export SNOWFLAKE_ROLE=SECURITYADMIN
but it made no differenceI tried changing my snowsql config role to SECURITYADMIN and it made no difference
I tried changing the role of the main provider, and it imported successfully:
Next Steps
Given the way Snowflake provider encapsulates the role used to connect, it is something unique to the Snowflake provider and not Terraform generally.
What Role do you recommend using in the main provider? It feels like ACCOUNTADMIN is too privileged for Terraform use.
The text was updated successfully, but these errors were encountered: