Security Best Practices

[spyglass-software]

Security Best Practices

We spend a lot of time thinking about security so our users don't have to (see security.md).

However, there are some best practices that Spyglass users should implement.

Use CODEOWNERS

While it may seem like just another file, the contents of your Spyglass YAML will have the ability to grant privileged access to your Snowflake database, so access to these files should be carefully managed.

Github CODEOWNERS allow you define which users (or groups of users)

1. Create a spyglass directory for your spyglass configuration.
2. Set up a github team for your data admins who should be allowed to approve/reject changes to access control.
3. Use a codeowner rule like /spyglass/ @spyglasshq/data-admins (replacing the org/team name with your own)

This will ensure that only authorized users can merge Spyglass changes.

Use Protected Branches

Protected branches ensure your code will go through proper pull request checks, as well as ensure they are passing in CI/CD before being merged. This prevents accidentally making changes that could break your Snowflake access.

Use a Separate Snowflake User Account

Set up a separate spyglass_user with the securityadmin privilege and a randomly-generated password.

CREATE USER IF NOT EXISTS SPYGLASS_USER;
GRANT ROLE SECURITYADMIN TO USER SPYGLASS_USER;
ALTER USER SPYGLASS_USER SET PASSWORD = '<insert-random-password>';

(hint: to generate a unique random password, run head -c 24 /dev/random | base64)

Why securityadmin?

Spyglass needs the securityadmin role in order to manage grants. From Snowflake's docs:

SECURITYADMIN (aka Security Administrator)

Role that can manage any object grant globally, as well as create, monitor,
and manage users and roles. More specifically, this role:

Is granted the MANAGE GRANTS security privilege to be able to modify any
grant, including revoking it.

Inherits the privileges of the USERADMIN role via the system role
hierarchy (i.e. USERADMIN role is granted to SECURITYADMIN).

Use Github Secrets

If you're using the github action workflows, be sure to store your Snowflake credentials in github secrets, and be sure to understand who has access to those secrets.

Ask Questions

If you have any other questions or security feedback, email us at [email protected].