6.2 Creating Shares, Granting Objects, and Reader Accounts
Key Takeaways
- Creating a share follows a fixed order: CREATE SHARE, GRANT USAGE on database/schema then SELECT on objects, then ALTER SHARE ADD ACCOUNTS.
- A consumer accesses shared data by running CREATE DATABASE ... FROM SHARE, which creates a read-only pointer database.
- Reader accounts let non-Snowflake parties consume data; they are provider-managed and the provider pays their compute credits.
- Each reader account belongs to exactly one provider and can only consume from the provider that created it.
Creating and Configuring a Share
As a provider you build a share with a deterministic sequence of privilege grants. The order matters because USAGE on the container (database, then schema) must precede SELECT on the contained objects. A typical flow:
CREATE SHARE sales_share;GRANT USAGE ON DATABASE sales_db TO SHARE sales_share;GRANT USAGE ON SCHEMA sales_db.public TO SHARE sales_share;GRANT SELECT ON TABLE sales_db.public.orders TO SHARE sales_share;ALTER SHARE sales_share ADD ACCOUNTS = consumer_acct;
Only the ACCOUNTADMIN role, or a role granted the CREATE SHARE global privilege, can create and manage shares. A single database can be added to a share, but you cannot add objects from more than one database to the same share — each share is rooted in a single database. You can, however, add multiple consumer accounts to one share.
Secure objects are mandatory
When sharing a view or UDF, you must use a secure view or secure UDF. Regular (non-secure) views cannot be granted to a share. Secure objects hide their SQL definition and query plan from the consumer, preventing them from inferring the structure of base tables they were not granted. This requirement is heavily tested: if a share must include a view, it must be a secure view.
How the Consumer Accesses the Share
On the consumer side, an ACCOUNTADMIN (or a role with IMPORT SHARE / CREATE DATABASE privilege) creates a database from the inbound share:
CREATE DATABASE shared_sales FROM SHARE provider_acct.sales_share;
This new database is a read-only pointer — it consumes no storage and is queried with the consumer's own warehouse. The consumer can grant access to other roles in its account via GRANT IMPORTED PRIVILEGES ON DATABASE shared_sales TO ROLE analyst;. Consumers see live data instantly; any change the provider makes to the source is immediately visible.
| Step | Who runs it | Effect |
|---|---|---|
| CREATE SHARE | Provider | Defines the share object |
| GRANT ... TO SHARE | Provider | Adds objects to the share |
| ALTER SHARE ADD ACCOUNTS | Provider | Authorizes consumer accounts |
| CREATE DATABASE FROM SHARE | Consumer | Creates read-only pointer DB |
| GRANT IMPORTED PRIVILEGES | Consumer | Lets other roles query it |
A share can be granted to multiple consumers at once, and all of them read the same live data with no additional storage anywhere.
Reader Accounts
A reader account (formerly "read-only account") lets a provider share data with a party that does not have its own Snowflake account. The provider creates the reader account with CREATE MANAGED ACCOUNT, and that reader account is wholly provider-managed: it belongs to the provider's account, appears in the provider's organization, and can only consume data from the provider that created it.
The billing model flips here. For a reader account, the provider pays all compute credits the reader's warehouses consume, in addition to storage. This is the opposite of a standard consumer (who pays its own compute), and it is a classic exam contrast.
| Characteristic | Standard consumer | Reader account |
|---|---|---|
| Needs own Snowflake account | Yes | No |
| Pays its own compute | Yes | No — provider pays |
| Can consume from many providers | Yes | No — only its creating provider |
| Managed by | Itself | The provider |
Use a reader account when the recipient is not a Snowflake customer and you are willing to absorb their compute cost in exchange for fully controlling their environment. The provider creates warehouses, users, and roles within the reader account on the recipient's behalf.
Managing Reader Accounts and Revoking Access
Because a reader account is created with CREATE MANAGED ACCOUNT, the provider receives the new account's URL and initial credentials and is responsible for everything inside it. The provider must create at least one virtual warehouse in the reader account (consumers in a reader account still need compute to query), set up users and roles, and then share databases to the reader account exactly as it would to any consumer. To control costs, the provider should attach resource monitors to the reader account's warehouses, since the provider is paying for that compute.
Revoking access is a core operational skill the exam may probe. A provider stops sharing in one of several ways:
- Remove a consumer from a share:
ALTER SHARE sales_share REMOVE ACCOUNTS = consumer_acct; - Revoke an object from the share:
REVOKE SELECT ON TABLE ... FROM SHARE sales_share; - Drop the share entirely:
DROP SHARE sales_share;
Each of these takes effect immediately and removes the consumer's ability to query the affected objects, but none of them deletes any data — the provider's source tables are untouched. This reinforces the no-copy model: access is purely a metadata grant that can be added or removed instantly.
When to choose each consumer type
| Recipient situation | Recommended object |
|---|---|
| Recipient already has a Snowflake account, same region | Standard consumer via direct share |
| Recipient is not a Snowflake customer | Reader account (provider pays compute) |
| Recipient is in another region or cloud | Listing built on replication |
The key contrast to lock in: a standard consumer pays its own compute and can consume from many providers, whereas a reader account is provider-paid, provider-managed, and tied to a single provider. Many exam items hinge entirely on that distinction.
A provider needs to include a view in a share so consumers can query it. Which type of view can be added to a share?
Who pays the compute credits consumed by a reader account's warehouses?
Which command does a consumer run to access an inbound share?
A reader account created by Provider A wants to also consume a share published by Provider B. Is this possible?