Installation
Workbench | Advanced
Step 0. Pre-requisites
You must have permissions to install Native Apps, such as the ACCOUNTADMIN
role.
You must have a valid Posit Workbench Advanced tier license.
Step 1. Snowflake Marketplace
- Visit the Snowflake Marketplace and search for “Posit Workbench”.
Click on the Posit Workbench listing from Posit, PBC.
Click Get to install the application from the listing. You may be asked to validate your email address.
Step 2. Install the Native App
- Choose a name for the application.
We recommend keeping the default Application name of Posit_Workbench. The rest of the documentation assumes this naming convention.
- Select a warehouse to use when installing the Native Application.
The warehouse you choose does not affect the installation process.
Initial installation
The initial installation should complete in approximately one minute. If your application seems to be stalled, review the troubleshooting documentation, or submit a support ticket.
This process runs a special script (Snowflake Native App docs) which registers several application roles, stored procedures, and a Streamlit application for administrative actions.
The Native App should now be listed under Installed Apps in the Data Products > Apps section of your Snowsight UI.
For future reference, the bold name refers to the name of the listing that you installed, and the gray text underneath is the name of the application that you created above.
Step 3. Activate the Native App
Open Snowsight user interface
Click Configure to jump directly to the application Snowsight user interface.
Alternatively, you can click on the application under the Data Products > Apps page.
In the Snowsight user interface you will be guided to grant a variety of connections and privileges to the application for initial activation.
Select a warehouse
Select a warehouse to continue the installation process. This warehouse is used to run the queries to bootstrap the application. It can be the same warehouse you previously selected.
Grant privileges
The Snowsight user interface guides you through granting the privileges required by the application.
Click the Grant button to assign the following privileges:
Privilege | Purpose |
---|---|
CREATE COMPUTE POOL |
The Posit Workbench Native App creates a compute pool to run the Workbench Container. The compute pool is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage. |
CREATE WAREHOUSE |
Posit Workbench uses an XS warehouse sparingly to manage the Workbench service. The warehouse is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage. |
BIND SERVICE ENDPOINT |
Required for any Snowpark Container Services Application to expose services via an ingress. |
Add default network integration
When initially activating the Native App you will configure a default network policy. By default, the Workbench Native App allows open egress traffic. For more information, see the Security documentation.
We recommend configuring or restricting the egress policy rules after the installation is completed. Configuring network rules and active network policies during the initial installation is a common issue for failed installs.
Add a Workbench license
A valid Advanced Posit Workbench License is required.
Paste the entire contents of the license file provided by your sales representative, including the lines with dashes ----
. See common issues with pasting the license for detailed instructions and how to detect if this step was completed correctly.
Please reach out to sales@posit.co to obtain a license.
Activate the Native App
You should now be able to click Activate which begins granting all the privileges and references to your application.
The activation process should take around 10 minutes to complete. If you are waiting for longer than 15 minutes, it is likely that the application failed to start. See the debugging guide for next steps.
After the app is activated, the waiting page changes to the application main page. Note that you have to be on the tab for it to refresh. You can also perform a manual refresh of the page.
Your application is now live and you should see a blue Launch App
button appear. However, before launching the app it is important to first configure OAuth below.
Step 4. Configure or update OAuth
A Snowflake OAuth security integration is required for full Workbench functionality. This allows users to pass their Snowflake credentials directly into their Workbench session without having to manually configure credentials or passwords.
Run the below code as an ACCOUNTADMIN
in a Snowsight Worksheet to create and activate the OAuth integration. The code is also handily provided in the app itself within the Snowsight UI Connections tab.
If you named your application something other than posit_workbench
you will need to modify the string that is returned by CALL posit_workbench.app.workbench_oauth_update()
.
- The below code generates an OAuth security integration with proper redirect URI, client ID, and client secret.
CALL posit_workbench.app.workbench_oauth_update()
- The below code sets the security integration within the Workbench Native App. This step must be completed for OAuth to function properly.
DECLARE
stmt STRING;BEGIN
CALL posit_workbench.app.workbench_oauth_update() INTO :stmt;
EXECUTE IMMEDIATE stmt;
END;
This causes Workbench to restart and use the newly supplied OAuth configuration. The restart should complete within two to three minutes.
This step must be completed again in the event that the ingress URL for your app changes. For example, if you resize the compute pool.
Step 5. Grant access to users
The Posit Workbench Native App has two application roles which are similar to account roles but scoped to the application. Refer to the Snowflake roles documentation for a detailed explanation.
Role | Purpose |
---|---|
WORKBENCH_USER |
Can access Workbench and view the status of the service. |
WORKBENCH_ADMIN |
Grants access to many stored procedures and the Administer Workbench dashboard. Also grants all permissions that the WORKBENCH_USER has.We recommend granting this application role sparingly. A user with this role is able to stop, and disturb, the functionality of Workbench. |
You can manage access through the Snowsight UI or by using SQL. Replace the placeholder role names in the example below with the names of the desired roles in your Snowflake account.
GRANT APPLICATION ROLE posit_workbench.workbench_user to ROLE my_user_role;
GRANT APPLICATION ROLE posit_workbench.workbench_admin to ROLE my_admin_role;
To grant access through the UI, click Manage Access in the top navigation bar.
Select a role and grant the desired application role(s).
As of February 2025 BCR-1692 in bundle 2024_08 has set all users’ DEFAULT_SECONDARY_ROLE
to ALL
. This change will automatically allow roles to inherit all the privileges of any other roles that they have been granted. In the context of the Workbench Native App, users with higher privileges (for example, ACCOUNTADMIN
) will be able to access the Native App even if they have not been granted access explicitly in the UI.
To disable this setting, admins can enforce a session policy blocking secondary roles.
Step 6. Launch Workbench application
Your installation is now complete! Click Launch App to access Workbench.
Step 7: Additional security
If your organization needs to configure additional security rules or egress policies please follow these instructions at this time.
Step 8: Multi-app install
Up to ten Workbench applications can be installed per account. To install an additional application, click on Add instance in the Workbench listing in the Snowflake Marketplace.
The application name will be created with a unique suffix to prevent application name collisions. This name can be changed during the installation process but must be unique. Once installed configure the application as per the instructions above.
It is strongly recommended to configure multiple instances of the Posit Workbench app so that users only have access to a single instance of the app. Each app instance is independent, so there are no shared data mounts or directories across applications. Users accessing multiple instances of the Posit Workbench application would have different data, settings, and configurations in each instance.
For additional information and recommendations on how and why to administer multiple installations, please see Administer multiple application instances.