Installation

Workbench | Advanced

Step 1. Snowflake Marketplace

Visit the Snowflake Marketplace and search for “Posit Workbench”.

Click on the Posit Workbench listing from Posit, PBC.
Click Get to install the application.
You must have permissions to install Native Apps, such as the ACCOUNTADMIN role.

Step 2. Install the Native App

Select a warehouse to use when installing the Native Application.
The warehouse you choose does not affect the installation process.

Application name

Choose a name for the application.

Tip

We recommend keeping the default Application name of Posit_Workbench. The rest of the documentation assumes this naming convention.

The name you choose for your application does not have an impact on the operation of the app. You can use a different name if your organization has a naming policy (e.g., APP_POSIT_WORKBENCH).

Initial installation

The initial installation should complete in approximately one minute. If your application seems to be stalled, review the troubleshooting documentation, or submit a support ticket.

This process runs a setup.sql script (Snowflake Native App docs) which registers several application roles, stored procedures, and a Streamlit application for administrative actions.

Step 3. Configure the Native App

Click Configure to jump directly to the application and configure the minimal needed privileges and references.

The Snowsight UI guides you through the entire process.

Alternatively, you can find the application under the Data Products > Apps page. You must have sufficient permissions to view the application. Ensure your role is ACCOUNTADMIN.

Select a warehouse to continue the installation process. This warehouse is used to run the queries to bootstrap the application. The actual warehouse does not matter; it can be the same warehouse you previously selected.

Select a warehouse to install the Native App

Grant privileges

The Snowsight UI guides you through granting the privileges required by the application.

Click the Grant button to assign the following privileges:

Privilege	Purpose
`CREATE COMPUTE POOL`	The Posit Workbench Native App creates a compute pool to run the Workbench Container. The compute pool is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage.
`BIND SERVICE ENDPOINT`	Required for any Snowpark Container Services Application to expose services via an ingress.

Add references

Provide the needed references to Posit Workbench

A default egress policy is configured, allowing 0.0.0.0:80 and 0.0.0.0:443.

For many organizations we recommend configuring an egress policy with more restrictive rules after the installation is completed. Configuring network rules and active network policies during the first installation is a common issue for failed installs.
A valid Advanced Posit Workbench License is required. Paste the entire contents of the license file provided by your sales representative, including the lines with dashes ----. See common issues with pasting the license for detailed instructions and how to detect if this step was completed correctly.

Please reach out to sales@posit.co to obtain a license.

You should now be able to click Activate.

Activate the native app

Activate begins granting all the privileges and references.

The activation process should take around 10 minutes to complete. If you are waiting for longer than 15 minutes, it is likely that the application failed to start. See the debugging guide for next steps.

After the app is activated, the waiting page changes to the application main page. Note that you have to be on the tab for it to refresh. You can also perform a manual refresh of the page.

Workbench Native App after completing activation

Step 4. Adding Workbench users

Warning

The next Posit Workbench release in September 2024 (2024.09) will remove this step.

Snowflake prevents the Workbench Native App from accessing users within the account and requires that Snowflake users be manually added to Workbench.

Execute the following SQL to insert all users within your Snowflake account. This step does not control access to Workbench but is a required step for provisioning user access.

SHOW USERS;
INSERT OVERWRITE INTO posit_workbench.data.workbench_users (username, display_name)
SELECT "name", "login_name" FROM TABLE(RESULT_SCAN(last_query_id())) WHERE "name" NOT LIKE 'SNOWFLAKE' AND LENGTH("name") < 32;

If you have many users the show users command may not be possible and you may wish to manually add specific roles. Execute the following statement for each role replacing <role-name>.

SHOW GRANTS OF ROLE <role-name>;
INSERT OVERWRITE INTO posit_workbench.data.workbench_users (username, display_name)
SELECT "grantee_name", "grantee_name" FROM TABLE(RESULT_SCAN(last_query_id())) WHERE "granted_to" = 'USER';

If you executed this statement after workbench is already running it will take approximately 5 minutes for the users to be synced. You can view the currently added users by selecting the workbench_users table.

SELECT username, display_name FROM posit_workbench.app.workbench_users;

Step 5. Configure OAuth

An Snowflake OAuth security integration is required for full Workbench functionality. This allows users to pass their Snowflake credentials directly into their Workbench session without having to manually configure credentials or passwords.

Create security integration

Click Administer Workbench in the top navigation bar.

Only the Streamlit app is visible if you have selected ACCOUNTADMIN as your current role. This application is useful for debugging the Workbench Native App and also provides useful Day 2+ functionality.

Scroll to the bottom of the page and find the Snowflake OAuth Integration section.
Copy the code from this section and run as an ACCOUNTADMIN.

In the example here, you need to replace the host in the OAUTH_REDIRECT_URI with the appropriate host for your application. Replacing the URI is not necessary when copying from the Administer Workbench app; the correct URI is automatically filled in.

-- Create OAuth Application for users to authenticate within Workbench
CREATE OR REPLACE SECURITY INTEGRATION posit_workbench_oauth
    TYPE = OAUTH
    ENABLED = TRUE
    OAUTH_CLIENT = CUSTOM
    OAUTH_CLIENT_TYPE = 'PUBLIC'
    OAUTH_ENFORCE_PKCE = TRUE
    OAUTH_ISSUE_REFRESH_TOKENS = TRUE
    OAUTH_REDIRECT_URI = 'https://......snowflakecomputing.app/oauth_redirect_callback'
    COMMENT = 'Posit Workbench OAuth';

-- Retrieve the OAuth Client ID and Secret
SELECT system$show_oauth_client_secrets('POSIT_WORKBENCH_OAUTH');

Copy the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET from the output of the second SQL statement. We recommend copying the output of the SYSTEM$SHOW_OAUTH_CLIENT_SECRETS to a text editor or something similar to ensure that you are properly copy and pasting the client id and secret.

Configure Workbench OAuth

Return to the Workbench Native App in the Snowsight UI.

Enter the OAUTH_CLIENT_ID in the Username field
Enter the OAUTH_CLIENT_SECRET in the Password field

Click Configure.

This causes Workbench to restart and use the newly supplied OAuth configuration. The restart should complete within two to three minutes.

Launch Workbench Application

Your installation is now complete! Click Launch App to access Workbench.

You are now ready to provision user access to the Workbench Native App.