I often get asked about how to deploy a self-service sandbox environment within a Snowflake account. After answering this question many times around how it would work in theory, I finally decided to build a simple framework script that would build this out quickly within a customer's environment so anyone can easily deploy it. These self-service use cases usually have few requirements:
- A walled off secured area for users to upload, create, experiment with & manage their own data assets (tables, views, custom data formats , stages for uploading/storing raw data, Tasks, Snowpipes & etc.) where they can full control over their own space and the objects within it.
- To make sure anything that gets created in these sandbox schemas are only accessible to the creators themselves and to prevent users from directly sharing or granting access to these assets to other users. Enforcing a rule where any asset within the Sandbox that needs to be shared to others has to go through a central check point be done by a higher level admin to prevent wild wild west analytics(via Managed-Access Schemas)
- Sandbox users having read-only access to other governed and certified production datasets within the organization where they can join them to their experimental datasets for further analysis.
- A way to control the amount of content being stored within the sandbox environment by automatically deleting any unused content within X number of days. This is to prevent the sandbox from becoming a data swamp with a lot of stale & unused data taking up unnecessary storage space.
- Have cost controls & governance around the Sandbox environment where specific monthly or yearly cost limits are enforced to prevent any runaway costs. Essentially providing a Bring-Your-Own-Data & Self-Service analytics environment within a specific budget.
Below is the script that you can run which can quickly setup this environment. Feel free to make changes to entity names(roles & warehouses) as well as the monthly spending limits(in credits).
You can access the script & the details around what gets created & how it works via my GitHub page as the script may be updated in the future .
Senior Solutions Engineering Manager | AI Automation & Data Platforms | Driving Digital Transformation in Financial Services (EMEA / Global)
3yDuncan Beeby Christophe Mendonça James Hunt Andy Sanderson
GenAI Builder | Data Strategist | Cloud Architect | Tech Writer
3yAubrey Pool Fari Azad
GenAI Builder | Data Strategist | Cloud Architect | Tech Writer
3yCurrent approach automatically creates a custom role per sandbox user to limit their access to only their own schema & data. In this case, userA can't see userB's sandbox content. Another approach could be a shared sandbox environment where the single SANDBOX_ROLE can provide access to all user managed schemas within the SANDBOX_DB. This would eliminate individual custom roles per user and would allow all sandbox users to be able to see & use each others content.