@cli4ai/snowflake
v1.0.9
Published
Snowflake read-only queries
Maintainers
cliforaiReadme
@cli4ai/snowflake
Official @cli4ai package • https://cli4ai.com • Install cli4ai:
npm i -g cli4ai
Snowflake explorer with read-only SQL (blocks writes by default).
Setup
npm i -g cli4ai
cli4ai add -g snowflakeCreate ~/.snowflake/connections.toml (required). Example:
[dev]
account = "xy12345.us-east-1"
user = "YOUR_USER"
password = "YOUR_PASSWORD"
warehouse = "COMPUTE_WH"
role = "SYSADMIN"
database = "MY_DB"
schema = "PUBLIC"Then verify:
cli4ai run snowflake connectionsCommands
cli4ai run snowflake connections
cli4ai run snowflake warehouses <conn>
cli4ai run snowflake databases <conn>
cli4ai run snowflake schemas <conn> [database]
cli4ai run snowflake tables <conn> [database] [schema]
cli4ai run snowflake views <conn> [database] [schema]
cli4ai run snowflake columns <conn> <table>
cli4ai run snowflake ddl <conn> <table>
cli4ai run snowflake sample <conn> <table> [limit]
cli4ai run snowflake count <conn> <table>
cli4ai run snowflake query <conn> <sql>
cli4ai run snowflake context <conn>
cli4ai run snowflake stages <conn>
cli4ai run snowflake formats <conn>
cli4ai run snowflake functions <conn>
cli4ai run snowflake procedures <conn>
cli4ai run snowflake tasks <conn>
cli4ai run snowflake streams <conn>
cli4ai run snowflake search <conn> <pattern>Security
Credentials
Store your ~/.snowflake/connections.toml file with restricted permissions:
chmod 600 ~/.snowflake/connections.tomlConsider using Snowflake key-pair authentication instead of passwords for production use. See Snowflake Key-Pair Authentication.
Read-Only Enforcement
This tool blocks destructive SQL commands (INSERT, UPDATE, DELETE, DROP, etc.) at the application layer. However, this is defense-in-depth only.
Best practice: Use a role with minimal privileges for maximum protection. Snowflake allows creating roles with restricted privileges:
CREATE ROLE readonly_role;
GRANT USAGE ON WAREHOUSE MY_WH TO ROLE readonly_role;
GRANT USAGE ON DATABASE MY_DB TO ROLE readonly_role;
GRANT USAGE ON ALL SCHEMAS IN DATABASE MY_DB TO ROLE readonly_role;
GRANT SELECT ON ALL TABLES IN DATABASE MY_DB TO ROLE readonly_role;
GRANT SELECT ON FUTURE TABLES IN DATABASE MY_DB TO ROLE readonly_role;The application-layer filtering may have edge cases (e.g., stored procedures, unusual syntax). Database-level permissions are the authoritative security boundary.