Installation

Workbench | Advanced

Step 0. Pre-requisites

You must have permissions to install Native Apps, such as the ACCOUNTADMIN role.

You must have a valid Posit Workbench Advanced tier license.

Step 1. Snowflake Marketplace

  1. Visit the Snowflake Marketplace and search for “Posit Workbench”.

Snowflake Marketplace search

Snowflake Marketplace search

  1. Click on the Posit Workbench listing from Posit, PBC.

  2. Click Get to install the application from the listing. You may be asked to validate your email address.

Posit Workbench marketplace listing

Posit Workbench marketplace listing

Step 2. Install the Native App

  1. Choose a name for the application.
Tip

We recommend keeping the default Application name of Posit_Workbench. The rest of the documentation assumes this naming convention.

  1. Select a warehouse to use when installing the Native Application.
    The warehouse you choose does not affect the installation process.

Choosing a name & warehouse for the Native App

Choosing a name & warehouse for the Native App

Initial installation

The initial installation should complete in approximately one minute. If your application seems to be stalled, review the troubleshooting documentation, or submit a support ticket.

This process runs a special script (Snowflake Native App docs) which registers several application roles, stored procedures, and a Streamlit application for administrative actions.

Initial Native App installation

Initial Native App installation

The Native App should now be listed under Installed Apps in the Data Products > Apps section of your Snowsight UI.

For future reference, the bold name refers to the name of the listing that you installed, and the gray text underneath is the name of the application that you created above.

Step 3. Activate the Native App

Open Snowsight user interface

Click Configure to jump directly to the application Snowsight user interface.

Configure the Native App

Configure the Native App

Alternatively, you can click on the application under the Data Products > Apps page.

Installed Apps Section

Installed Apps Section

In the Snowsight user interface you will be guided to grant a variety of connections and privileges to the application for initial activation.

Select a warehouse

Select a warehouse to continue the installation process. This warehouse is used to run the queries to bootstrap the application. It can be the same warehouse you previously selected.

Select a warehouse to install the Native App

Select a warehouse to install the Native App

Grant privileges

The Snowsight user interface guides you through granting the privileges required by the application.

Activate the Native App

Activate the Native App

Click the Grant button to assign the following privileges:

Privilege Purpose
CREATE COMPUTE POOL The Posit Workbench Native App creates a compute pool to run the Workbench Container. The compute pool is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage.
CREATE WAREHOUSE Posit Workbench uses an XS warehouse sparingly to manage the Workbench service. The warehouse is owned by the application (enforced by Snowflake) and can be easily monitored for cost usage.
BIND SERVICE ENDPOINT Required for any Snowpark Container Services Application to expose services via an ingress.

Add default network integration

When initially activating the Native App you will configure a default network policy. By default, the Workbench Native App allows open egress traffic. For more information, see the Security documentation.

We recommend configuring or restricting the egress policy rules after the installation is completed. Configuring network rules and active network policies during the initial installation is a common issue for failed installs.

Add a Workbench license

Add a license to the Native App

Add a license to the Native App

A valid Advanced Posit Workbench License is required.

Paste the entire contents of the license file provided by your sales representative, including the lines with dashes ----. See common issues with pasting the license for detailed instructions and how to detect if this step was completed correctly.

Please reach out to sales@posit.co to obtain a license.

Activate the Native App

You should now be able to click Activate which begins granting all the privileges and references to your application.

The activation process should take around 10 minutes to complete. If you are waiting for longer than 15 minutes, it is likely that the application failed to start. See the debugging guide for next steps.

Waiting for the Native App to activate

Waiting for the Native App to activate

After the app is activated, the waiting page changes to the application main page. Note that you have to be on the tab for it to refresh. You can also perform a manual refresh of the page.

Workbench Native App after completing activation

Workbench Native App after completing activation

Your application is now live and you should see a blue Launch App button appear. However, before launching the app it is important to first configure OAuth below.

Step 4. Configure or update OAuth

A Snowflake OAuth security integration is required for full Workbench functionality. This allows users to pass their Snowflake credentials directly into their Workbench session without having to manually configure credentials or passwords.

Run the below code as an ACCOUNTADMIN in a Snowsight Worksheet to create and activate the OAuth integration. The code is also handily provided in the app itself within the Snowsight UI Connections tab.

Code in Connections tab under Snowflake OAuth Integration

Code in Connections tab under Snowflake OAuth Integration
Important

If you named your application something other than posit_workbench you will need to modify the string that is returned by CALL posit_workbench.app.workbench_oauth_update().

  1. The below code generates an OAuth security integration with proper redirect URI, client ID, and client secret.
CALL posit_workbench.app.workbench_oauth_update()
  1. The below code sets the security integration within the Workbench Native App. This step must be completed for OAuth to function properly.

DECLARE
  stmt STRING;
BEGIN
  CALL posit_workbench.app.workbench_oauth_update() INTO :stmt;
  EXECUTE IMMEDIATE stmt;
END;

This causes Workbench to restart and use the newly supplied OAuth configuration. The restart should complete within two to three minutes.

This step must be completed again in the event that the ingress URL for your app changes. For example, if you resize the compute pool.

Step 5. Grant access to users

The Posit Workbench Native App has two application roles which are similar to account roles but scoped to the application. Refer to the Snowflake roles documentation for a detailed explanation.

Role Purpose
WORKBENCH_USER Can access Workbench and view the status of the service.
WORKBENCH_ADMIN Grants access to many stored procedures and the Administer Workbench dashboard. Also grants all permissions that the WORKBENCH_USER has.
We recommend granting this application role sparingly. A user with this role is able to stop, and disturb, the functionality of Workbench.

You can manage access through the Snowsight UI or by using SQL. Replace the placeholder role names in the example below with the names of the desired roles in your Snowflake account.

GRANT APPLICATION ROLE posit_workbench.workbench_user to ROLE my_user_role;
GRANT APPLICATION ROLE posit_workbench.workbench_admin to ROLE my_admin_role;

To grant access through the UI, click Manage Access in the top navigation bar.

Manage Access to the Native App

Manage Access to the Native App

Select a role and grant the desired application role(s).

Grant Access to specific roles

Grant Access to specific roles
Important

As of February 2025 BCR-1692 in bundle 2024_08 has set all users’ DEFAULT_SECONDARY_ROLE to ALL. This change will automatically allow roles to inherit all the privileges of any other roles that they have been granted. In the context of the Workbench Native App, users with higher privileges (for example, ACCOUNTADMIN) will be able to access the Native App even if they have not been granted access explicitly in the UI.

To disable this setting, admins can enforce a session policy blocking secondary roles.

Step 6. Launch Workbench application

Your installation is now complete! Click Launch App to access Workbench.

Step 7: Additional security

If your organization needs to configure additional security rules or egress policies please follow these instructions at this time.

Step 8: Multi-app install

Up to ten Workbench applications can be installed per account. To install an additional application, click on Add instance in the Workbench listing in the Snowflake Marketplace.

Install additional instance

Install additional instance

The application name will be created with a unique suffix to prevent application name collisions. This name can be changed during the installation process but must be unique. Once installed configure the application as per the instructions above.

Caution

It is strongly recommended to configure multiple instances of the Posit Workbench app so that users only have access to a single instance of the app. Each app instance is independent, so there are no shared data mounts or directories across applications. Users accessing multiple instances of the Posit Workbench application would have different data, settings, and configurations in each instance.

For additional information and recommendations on how and why to administer multiple installations, please see Administer multiple application instances.

Back to top