Snowflake Grant API
The Snowflake Grant API is a REST API that you can use to show or manage privileges that have been provided to users and roles in a Snowflake database.
OpenAPI Specification
openapi: 3.0.0
servers:
- description: Snowflake REST Server
url: https://org-account.snowflakecomputing.com
info:
version: 0.0.1
title: Snowflake Grant API
description: The Snowflake Grant API is a REST API that you can use to show or manage privileges that have been provided to users and roles in a Snowflake database.
contact:
name: Snowflake, Inc.
url: https://snowflake.com
email: support@snowflake.com
paths:
/api/v2/grants/{granteeType}/{granteeName}/{securableType}/{securableName}/privileges:
post:
summary: Grant the Specified Privilege(s) on the Named Securable to the Named Grantee.
description: Endpoint to indicate that the privileges listed in the request body should be granted.
operationId: grantPrivilege
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/securableType'
- $ref: '#/components/parameters/securableName'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Grant'
examples:
GrantprivilegeRequestExample:
summary: Default grantPrivilege request
x-microcks-default: true
value:
privileges:
- example_value
grant_option: true
created_on: '2026-01-15T10:30:00Z'
grantee_type: example_value
grantee_name: example_value
securable_type: example_value
securable_name: example_value
granted_by_role_type: example_value
granted_by_name: example_value
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/grants/{granteeType}/{granteeName}/{bulkGrantType}/{securableTypePlural}/{scopeType}/{scopeName}/privileges:
post:
summary: Grant the Specified Privilege(s) on All/future (as Specified by Bulkgranttype) Securables of This Type in a Given Scope to the Named Grantee.
description: Endpoint to indicate that the privileges listed in the request body should be granted to all securables of this type in the given scope.
operationId: grantGroupPrivilege
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/bulkGrantType'
- $ref: '#/components/parameters/securableTypePlural'
- $ref: '#/components/parameters/scopeType'
- $ref: '#/components/parameters/scopeName'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Grant'
examples:
GrantgroupprivilegeRequestExample:
summary: Default grantGroupPrivilege request
x-microcks-default: true
value:
privileges:
- example_value
grant_option: true
created_on: '2026-01-15T10:30:00Z'
grantee_type: example_value
grantee_name: example_value
securable_type: example_value
securable_name: example_value
granted_by_role_type: example_value
granted_by_name: example_value
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/grants/{granteeType}/{granteeName}/{securableType}/{securableName}/privileges/{privilege}:
delete:
summary: Revoke the Specified Privilege on the Named Securable From the Named Grantee.
description: Endpoint to indicate that the privilege listed in the path should be revoked.
operationId: revokePrivilege
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/securableType'
- $ref: '#/components/parameters/securableName'
- $ref: '#/components/parameters/privilege'
- $ref: '#/components/parameters/deleteMode'
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/grants/{granteeType}/{granteeName}/{securableType}/{securableName}/privileges/{privilege}/grant-option:
delete:
summary: Revoke the Grant Option for the Specified Privilege on the Named Securable From the Named Grantee.
description: Endpoint to indicate that the grant option for the privilege listed in the path should be revoked.
operationId: revokePrivilegeGrantOption
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/securableType'
- $ref: '#/components/parameters/securableName'
- $ref: '#/components/parameters/privilege'
- $ref: '#/components/parameters/deleteMode'
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
? /api/v2/grants/{granteeType}/{granteeName}/{bulkGrantType}/{securableTypePlural}/{scopeType}/{scopeName}/privileges/{privilege}
: delete:
summary: Revoke the Specified Privilege on the Specified All/future Securable in the Given Scope From the Named Grantee.
description: Endpoint to indicate that the privilege listed on the group securable in the given scope should be revoked.
operationId: revokeGroupPrivilege
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/bulkGrantType'
- $ref: '#/components/parameters/securableTypePlural'
- $ref: '#/components/parameters/scopeType'
- $ref: '#/components/parameters/scopeName'
- $ref: '#/components/parameters/privilege'
- $ref: '#/components/parameters/deleteMode'
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
? /api/v2/grants/{granteeType}/{granteeName}/{bulkGrantType}/{securableTypePlural}/{scopeType}/{scopeName}/privileges/{privilege}/grant-option
: delete:
summary: Revoke the Grant Option for the Specified Privilege on the Specified All/future Securable in the Given Scope From the Named Grantee.
description: Endpoint to indicate that the grant option for the privilege listed on the group securable in the given scope should be revoked.
operationId: revokeGroupPrivilegeGrantOption
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: '#/components/parameters/bulkGrantType'
- $ref: '#/components/parameters/securableTypePlural'
- $ref: '#/components/parameters/scopeType'
- $ref: '#/components/parameters/scopeName'
- $ref: '#/components/parameters/privilege'
- $ref: '#/components/parameters/deleteMode'
responses:
'200':
$ref: common.yaml#/components/responses/200SuccessResponse
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/api/v2/grants/{granteeType}/{granteeName}:
get:
summary: List of Privileges Associated With This Grantee Type and Name
description: List the roles and privileges granted to the specified grantee using the output of SHOW GRANTS TO
operationId: listGrantsTo
deprecated: true
tags:
- grant
parameters:
- $ref: '#/components/parameters/granteeType'
- $ref: '#/components/parameters/granteeName'
- $ref: common.yaml#/components/parameters/showLimit
responses:
'200':
description: successful
headers:
X-Snowflake-Request-ID:
$ref: common.yaml#/components/headers/X-Snowflake-Request-ID
Link:
$ref: common.yaml#/components/headers/Link
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Grant'
examples:
Listgrantsto200Example:
summary: Default listGrantsTo 200 response
x-microcks-default: true
value:
- privileges:
- example_value
grant_option: true
created_on: '2026-01-15T10:30:00Z'
grantee_type: example_value
grantee_name: example_value
securable_type: example_value
securable_name: example_value
granted_by_role_type: example_value
granted_by_name: example_value
'202':
$ref: common.yaml#/components/responses/202SuccessAcceptedResponse
'400':
$ref: common.yaml#/components/responses/400BadRequest
'401':
$ref: common.yaml#/components/responses/401Unauthorized
'403':
$ref: common.yaml#/components/responses/403Forbidden
'404':
$ref: common.yaml#/components/responses/404NotFound
'405':
$ref: common.yaml#/components/responses/405MethodNotAllowed
'408':
$ref: common.yaml#/components/responses/408RequestTimeout
'409':
$ref: common.yaml#/components/responses/409Conflict
'410':
$ref: common.yaml#/components/responses/410Gone
'429':
$ref: common.yaml#/components/responses/429LimitExceeded
'500':
$ref: common.yaml#/components/responses/500InternalServerError
'503':
$ref: common.yaml#/components/responses/503ServiceUnavailable
'504':
$ref: common.yaml#/components/responses/504GatewayTimeout
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
components:
parameters:
granteeType:
name: granteeType
description: String that specifies the type of resource that is the privilege grantee.
required: true
in: path
schema:
example: role
type: string
enum:
- user
- role
- application-role
- database-role
- share
granteeName:
name: granteeName
description: String that specifies the name of the privilege grantee.
required: true
in: path
schema:
example: SYSADMIN
type: string
securableType:
name: securableType
description: String that specifies the type of resource that is being secured by a privilege.
required: true
in: path
schema:
example: DATABASE
type: string
securableName:
name: securableName
description: String that specifies the name of resource that is being secured by a privilege.
required: true
in: path
schema:
example: MY_DB
type: string
bulkGrantType:
name: bulkGrantType
description: String that species whether this group privilege should be on ALL or FUTURE resources of the specified plural type
required: true
in: path
schema:
example: all
type: string
enum:
- all
- future
securableTypePlural:
name: securableTypePlural
description: String that specifies the plural of the type of resource that is being secured by an ALL/FUTURE privilege. Must be either "schemas" or any plural object type that can nest under a
schema such as "tables"
required: true
in: path
schema:
example: tables
type: string
scopeType:
name: scopeType
description: String that specifies the type of resource that is the scope of an ALL/FUTURE privilege. Can only be DATABASE or SCHEMA
required: true
in: path
schema:
example: schema
type: string
enum:
- database
- schema
scopeName:
name: scopeName
description: String that specifies the name of resource that is the scope of an ALL/FUTURE privilege
required: true
in: path
schema:
example: MY_DB.MY_SC
type: string
privilege:
name: privilege
description: String that specifies a privilege to be revoked
required: true
in: path
schema:
example: SELECT
type: string
deleteMode:
name: deleteMode
description: If "cascade", recursively revoke the grant from sub-grantees to which this privilege was re-granted. Acceptable values are "restrict" or "cascade".
required: false
in: query
schema:
type: string
example: restrict
schemas:
Grant:
description: Properties of a grant that can be granted to a role or user.
type: object
properties:
privileges:
type: array
description: Privilege type
items:
type: string
example:
- CREATE DATABASE
- EXECUTE TASK
grant_option:
type: boolean
description: Can grantee pass this privilege down?
example: true
created_on:
type: string
format: date-time
example: '2026-01-15T10:30:00Z'
grantee_type:
type: string
description: Entity type being granted to
example: ROLE
grantee_name:
type: string
description: Specific name of object being granted to
example: ACCOUNTADMIN
securable_type:
type: string
description: Type of object granted on
example: ACCOUNT
securable_name:
type: string
description: Name of specific object granted on (not name of privilege!)
example: example_value
granted_by_role_type:
type: string
description: Type of role that granted this privilege to this grantee
example: ROLE
granted_by_name:
type: string
description: The role that granted this privilege to this grantee
example: SUBADMIN
securitySchemes:
KeyPair:
$ref: common.yaml#/components/securitySchemes/KeyPair
ExternalOAuth:
$ref: common.yaml#/components/securitySchemes/ExternalOAuth
SnowflakeOAuth:
$ref: common.yaml#/components/securitySchemes/SnowflakeOAuth
security:
- KeyPair: []
- ExternalOAuth: []
- SnowflakeOAuth: []