Installation
Step 0. Pre-requisites
You must have permissions to install Native Apps, such as the ACCOUNTADMIN
role.
You must have a valid Posit Workbench Advanced tier license.
Step 1. Snowflake Marketplace
- Visit the Snowflake Marketplace and search for “Posit Workbench”.
Click on the Posit Workbench listing from Posit, PBC.
Click Get to install the application from the listing. You may be asked to validate your email address.
Step 2. Install the Native App
- Choose a name for the application.
We recommend keeping the default Application name of Posit_Workbench. The rest of the documentation assumes this naming convention.
- Select a warehouse to use when installing the Native Application.
The warehouse you choose does not affect the installation process.
Initial installation
The initial installation should complete in approximately one minute. If your application seems to be stalled, review the troubleshooting documentation, or submit a support ticket.
This process runs a special script (Snowflake Native App docs) which registers several application roles, stored procedures, and a Streamlit application for administrative actions.
The Native App should now be listed under Installed Apps in the Data Products > Apps section of your Snowsight UI.
For future reference, the bold name refers to the name of the listing that you installed, and the gray text underneath is the name of the application that you created above.
Step 3. Activate the Native App
Open Snowsight user interface
Click Configure to jump directly to the application Snowsight user interface.
Alternatively, you can click on the application under the Data Products > Apps page.
In the Snowsight user interface you will be guided to grant a variety of connections and privileges to the application for initial activation.
Select a warehouse
Select a warehouse to continue the installation process. This warehouse is used to run the queries to bootstrap the application. It can be the same warehouse you previously selected.
::: :::
Grant privileges
The Snowsight user interface guides you through granting the privileges required by the application.
Click the Grant button to assign the following privileges:
Privilege | Purpose |
---|---|
CREATE COMPUTE POOL |
The Posit Workbench Native App creates a compute pool to run the Workbench Container. The compute pool is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage. |
CREATE WAREHOUSE |
Posit Workbench uses an XS warehouse sparingly to manage the Workbench service. The warehouse is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage. |
BIND SERVICE ENDPOINT |
Required for any Snowpark Container Services Application to expose services via an ingress. |
Add default network integration
When initially activating the Native App you will configure a default network policy. By default, the Workbench Native App allows open egress traffic. For more information, see the Security documentation.
We recommend configuring or restricting the egress policy rules after the installation is completed. Configuring network rules and active network policies during the initial installation is a common issue for failed installs.
Add a Workbench license
A valid Advanced Posit Workbench License is required.
Paste the entire contents of the license file provided by your sales representative, including the lines with dashes ----
. See common issues with pasting the license for detailed instructions and how to detect if this step was completed correctly.
Please reach out to sales@posit.co to obtain a license.
Activate the Native App
You should now be able to click Activate which begins granting all the privileges and references to your application.
The activation process should take around 10 minutes to complete. If you are waiting for longer than 15 minutes, it is likely that the application failed to start. See the debugging guide for next steps.
After the app is activated, the waiting page changes to the application main page. Note that you have to be on the tab for it to refresh. You can also perform a manual refresh of the page.
Your application is now live and you should see a blue Launch App
button appear. However, before launching the app it is important to first configure OAuth below.
Step 4. Configure or update OAuth
A Snowflake OAuth security integration is required for full Workbench functionality. This allows users to pass their Snowflake credentials directly into their Workbench session without having to manually configure credentials or passwords.
Run the below code as an ACCOUNTADMIN
in a Snowsight Worksheet to create and activate the OAuth integration. The code is also handily provided in the app itself within the Snowsight UI Connections tab.
If you named your application something other than posit_workbench
you will need to modify the string that is returned by CALL posit_workbench.app.workbench_oauth_update()
.
- The below code generates an OAuth security integration with proper redirect URI, client ID, and client secret.
CALL posit_workbench.app.workbench_oauth_update()
- The below code sets the security integration within the Workbench Native App. This step must be completed for OAuth to function properly.
DECLARE
stmt STRING;BEGIN
CALL posit_workbench.app.workbench_oauth_update() INTO :stmt;
EXECUTE IMMEDIATE stmt;
END;
This causes Workbench to restart and use the newly supplied OAuth configuration. The restart should complete within two to three minutes.
This step must be completed again in the event that the ingress URL for your app changes. For example, if you resize the compute pool.
Step 5. Grant access to users
The Posit Workbench Native App has two application roles which are similar to account roles but scoped to the application. Refer to the Snowflake roles documentation for a detailed explanation.
Role | Purpose |
---|---|
WORKBENCH_USER |
Can access Workbench and view the status of the service. |
WORKBENCH_ADMIN |
Grants access to many stored procedures and the Administer Workbench dashboard. Also grants all permissions that the WORKBENCH_USER has.We recommend granting this application role sparingly. A user with this role is able to stop, and disturb, the functionality of Workbench. |
You can manage access through the Snowsight UI or by using SQL. Replace the placeholder role names in the example below with the names of the desired roles in your Snowflake account.
GRANT APPLICATION ROLE posit_workbench.workbench_user to ROLE my_user_role;
GRANT APPLICATION ROLE posit_workbench.workbench_admin to ROLE my_admin_role;
To grant access through the UI, click Manage Access in the top navigation bar.
Select a role and grant the desired application role(s).
Step 6. Launch Workbench application
Your installation is now complete! Click Launch App to access Workbench.
Step 7: Additional security
If your organization needs to configure additional security rules or egress policies please follow these instructions at this time.