Spyglass Documentation
Security on Autopilot for Data Teams.
🌅 What is Spyglass?
Spyglass is a security platform for data teams. Spyglass’s software-as-a-service offers:
Access-as-Code: configure your access rules as code so that they are reviewable, auditable and consistent across environments. This includes GitOps workflows and our integration with GitHub.
Recommendations: let Spyglass be the security expert. Get proactive insights into the health of your data security, and guidance on how to fix common issues focused on the principle of least privilege.
Self-Service: explore your database, its users, and access rules to discover patterns, debug issues, and get a better understanding of “who has access to what.” Additionally, provide your data owners and users with discovery and access workflows.
What does this mean for you and your team?
Data Operators: understand and build access controls, automate governance and provide self-service mechanisms for data owners and users.
Data Owners: understand and control access in your domain and automate compliance.
Data Users: find relevant data and easily get access.
The purpose of Spyglass is to automate security for data teams and enable self-service mechanisms for data owners and consumers.
Easy to Build Access
Import your existing Snowflake access rules to Spyglass and start centrally managing your access as code, complete with versioning and change history.
Automated Governance
Proactive insights, removing the guesswork from security best practices, implementing the principle of least privilege, and streamlining your internal audits.
Enable Self-Service
Quickly visualize your access and role hierarchies, empower your data users to request the right access, and enable business units to manage their own security policy.
🌎 Current
Current provides an overview of your existing users, roles and objects in Snowflake.
The Current page provides the ability to search across your users and roles and click into individual users and roles to go to their summary page.
Additionally, at the bottom of the page you have the ability to manually sync Spyglass to your current Snowflake configurations (without the manual update, Spyglass syncs to connected Snowflake accounts once every 24-hours).
YAML view
Switching the toggle in the top left of the Current page will show your existing configuration in YAML format.
🔍 Explorer
Explorer allows you to search and get insights about your objects, users and roles and makes discovery simple and self-service for users.
This feature allows you to query by object id, user name or role name paired with a specific search term.
The search term bar will allow you to search on partial phrases of objects, users and roles and provide a list of potential query options.
Once you’ve chosen the object, user or role that you’d like to inspect, you will be directed to the access explorer page:
The access explorer page will provide an overview of the object, role or user along with additional filters and a Role Hierarchy for further inspection on how objects, users or roles inherit their permissions.
Add Permissions
The Add Permissions button in the access explorer page allows you to easily adjust privileges in Snowflake.
Once adding a permission or clicking the "Submit Pull Request" button, a change will be submitted as a pull request in GitHub for an approver to review and merge:
Role Hierarchy
The Role Hierarchy diagram helps to simplify hierarchical relationship among roles within an organization's access control structure. It illustrates how roles inherit permissions from higher-level roles and how user access to resources is ultimately being derived.
🔮 Recommendations
Recommendations is a library of proactive best practices in Spyglass to automate governance for data teams, focused on principle of least privilege definitions.
[SR1027] Table appears inactive (hasn't been accessed recently)
Spyglass Recommendation 1027 measures table activity and provides a list of tables that have not been used in the last 90 days to automate cost and governance reporting.
🛣️ Roadmap – We are working on additional Recommendations based on demand. A sample of additional Recommendations coming soon:
"Warehouse costs could be reduced by setting a lower auto-suspend time limit."
"Role is missing ownership metadata."
"Deactivated user has role grants."
"User has access to data (e.g. GDPR or PII) that they shouldn’t have."
Please reach out to devs@spyglass.software with requests.
🔄 Changes
Changes provides a comprehensive list of all changes made to your Snowflake configuration. Detailed within each change is a summary of the type of change along with how many individual changes were made.
📔 Note – access to Changes is only available to designated account administrators.
Clicking on the text of any one individual change will bring you to a detail page for that change:
Drilling down further, clicking on the change number (hash-tagged number in blue) will navigate to the pull request in GitHub.
🖥️ Spyglass CLI
Spyglass's CLI allows you to manage your access controls as code in your command line interface.
See documentation on Spyglass CLI setup on our GitHub.
⚙️ Settings
Settings provides Spyglass administrators the ability to configure account level settings.
📔 Note – Settings is only available to designated account administrators.
🔐 SSO Setup
For details on configuring SSO, see:
(Support for more providers coming soon)
📐 Architecture
An overview of Spyglass solution architecture.
📜 Requirements for Setup
The primary integrations for Spyglass are Snowflake and GitHub. Before we begin, there are a few accounts and permissions you’ll need to make sure you have access to.
1 – GitHub Organization with administrative privileges.
Whether it’s you or a member of your team, you will need the ability to install our GitHub App to your organization (we do not currently support installing to user accounts).
As part of this process, you will grant read/write privileges to a GitHub repository so that Spyglass can: (1) write a YAML file that contains Snowflake configuration, and (2) read the YAML file on every change and apply those changes back to Snowflake.
📔 Note – For the best onboarding experience, first ensure your organization has at least one repository with at least one commit that is owned by the GitHub organization (when creating the repository, select “Add a README” option).
2 – Snowflake Account with ACCOUNTADMIN privilege.
Whether it’s you or a member of your team, you will need the ability to create a user for Spyglass with its required permissions.
The installation process involves creating a SPYGLASS_USER and granting it a SPYGLASS_ROLE that inherits from SECURITYADMIN. There is some background about these Snowflake objects in our Security Best Practices guide.
📔 Note – If your Snowflake instance has an account network security policy, add our static egress IP to your allowed list of IPs: 34.31.88.206
📘 Install Guide
These are the steps for getting Spyglass installed.
1 – Login
Go to app.spyglass.software/login
Click on “Sign In with GitHub” or “Sign In with Okta”:
Sign in with your GitHub or Okta account:
📔 Note – Spyglass requires a GitHub Organization (how to create a GitHub Organization) and for you to have at least one repository with one commit in your account that is owned by the GitHub organization. The simplest way to complete this is to a) create a new repository in the GitHub Organization account and while creating a) select “Add README file” for an automatic contribution to the repository.
Provide Spyglass the permissions to your account:
2 – Connect GitHub Account
Once you've signed in, on the left navigation bar, go to the Settings page:
Click on the Spyglass GitHub App text for a link to GitHub to install the Spyglass HQ GitHub App.
Click on “Configure” in GitHub:
Install the Spyglass HQ App in your GitHub Organization account:
Clicking on the Organization Account, you’ll navigate to the GitHub Apps page which provides you the options to provide the Spyglass HQ App access to “All repositories” or only “Only select repositories,” both of which work to configure Spyglass. (Example: common pattern of configuring Spyglass in a development environment before moving to production.)
Navigating back to Spyglass and to the Setting page, you can then configure an Active Repository for Spyglass to work with:
At this point, your GitHub Account is fully set up with Spyglass.
Once you have your Snowflake Account connected (the next step), you’ll be able to enable the below GitHub and Snowflake configurations in the Settings screen:
3 – Connect Snowflake Account
The installation process involves creating a SPYGLASS_USER and granting it a SPYGLASS_ROLE that inherits from SECURITYADMIN. There is some background about these Snowflake objects in our Security Best Practices guide.
📔 Note – If your Snowflake instance has an account network security policy, add our static egress IP to your allowed list of IPs: 34.31.88.206
📔 Note – Connecting Spyglass to Snowflake requires access to the SECURITYADMIN role
To connect Spyglass to Snowflake, go into Settings and underneath Snowflake section, click on “Connect”:
Input your Snowflake account identifier and copy and run the commands in a Snowflake Worksheet while assuming SECURITYADMIN to create the SPYGLASS_USER:
📔 Note – You can find your Snowflake account identifier by going to Admin → Accounts in your Snowflake account and clicking on the Account to copy the identifier. The identifier will be the 14 characters after the https://
Click on “Verify” in the Spyglass UI (seen above) to confirm the connection. If successful, you will see the below:
You’ve now successfully connected your Snowflake account to Spyglass.
⛔ Common Setup Issues when integrating with Snowflake
Error = JWT token in invalid
When it may happen = when configuring your Snowflake account
What to check with your setup configurations = ensure that you highlight and run the SPYGLASS_USER creation commands in you Snowflake worksheet to make sure they all run together as opposed to independently
4 – Import
A feature of Spyglass is the ability to import your existing Snowflake access configurations with out having to recreate these in other solutions.
Go to the Current page in Spyglass and click on Import Now:
You’ll see the below message showing success of the import and prompting you to go to GitHub to approve the pull request:
Go into your GitHub Organization account and approve and merge the pending pull request from Spyglass:
Once completed, you will see your configurations ready in Spyglass.
ℹ️ Support
If you're a Spyglass customer or participating in Spyglass Free Trial, reach out to support@spyglass.software.
For any non-support related questions or feature requests, reachout to devs@spyglass.software.