[CONTENT SPRINT] Snowflake Warehouses, Roles, and Short-Lived Credentials with Pulumi

[sicarul]

Why this content is interesting

• It combines Snowflake infrastructure, RBAC, and credential handling in one operational story.
• It is scheduled for 2026-06-16 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered warehouses, databases, role hierarchies, grants, and Pulumi ESC so the post stays distinct from dynamic-credential launch content.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a governed Snowflake baseline that reduces both access drift and credential risk.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: Snowflake Warehouses, Roles, and Short-Lived Credentials with Pulumi
• Meta description: Provision Snowflake warehouses, databases, role hierarchies, and grants with Pulumi while using Pulumi ESC to avoid long-lived static credentials.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/pulumi-snowflake-warehouses-roles-esc/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• "should cover more than warehouses" opens with a soft premise — a line naming the specific gap (credentials, role grants) lands harder
• Both sentences together map out the full article (roles, grants, databases, credentials) — the reader has the whole contents list before clicking

LinkedIn

• Opener "Snowflake governance depends on both infrastructure and access" is generic enough to apply to any IaC vendor; nothing earns specificity to Pulumi or ESC
• The body names every mechanism in the article (warehouses, databases, role hierarchies, grants, ESC, static credentials) — nothing is withheld to create a reason to read

Bluesky

• "needs warehouses, roles, grants, databases, and better credential handling" is a full inventory of the article's topics, closing the curiosity gap entirely
• "Use Pulumi plus ESC." reads as a product tag appended to a summary rather than a payoff that earns the click

Updated for commit 8ebe38608f1d156857d74eeec0da51b274ccadaf (short: 8ebe386) at 2026-05-13 21:55 UTC.

[pulumi-bot]

Your site preview for commit 7fc80c2 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18952-7fc80c2a.s3-website.us-west-2.amazonaws.com

[pulumi-bot]

Lighthouse Performance Report

Commit: ea7f6c0 | Metric definitions

Page	Device	Score	FCP	LCP	TBT	CLS	SI
Homepage	Mobile	🟡 84	2.9s	3.0s	264ms	0.019	3.2s
Homepage	Desktop	🟢 92	0.7s	1.0s	24ms	0.020	2.6s
Install Pulumi	Mobile	🔴 36	5.2s	7.8s	308ms	0.438	5.2s
Install Pulumi	Desktop	🟢 91	1.2s	1.6s	22ms	0.023	1.3s
AWS Get Started	Mobile	🟡 54	5.0s	7.6s	234ms	0.083	7.6s
AWS Get Started	Desktop	🟡 85	1.2s	1.6s	20ms	0.032	2.7s

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 1m 38s —— View job

---

Re-review

Thanks for the cleanup — the rewrite landed correctly. The PR now shows a single commit (8ebe386) touching only the three files under content/blog/pulumi-snowflake-warehouses-roles-esc/ (index.md, feature.png, meta.png). Social YAML now uses two paragraphs separated by a blank line for all three networks, which addresses the social-media-review failures.

What looks good

• Scope: PR is now clean — no stray non-blog files. ✅
• Frontmatter: date: 2026-06-16 matches the sprint slot; authors: pablo-seibelt resolves to data/team/team/pablo-seibelt.toml; tags are sensible; meta_desc reads well and matches the body's promise. ✅
• Social copy: Two-paragraph structure on X / LinkedIn / Bluesky should pass the social-media-review check now. ✅
• Headings: H1 title case, H2/H3 sentence case throughout. ✅
• Code style: TypeScript snippets follow the project's hand-written constructor style (resource name + { on the same line) — no Prettier multi-arg drift. ✅
• Links: /docs/esc/ uses the full canonical path, which is the correct pattern for internal docs links. ✅
• ESC example: The fn::open::snowflake-login YAML shape matches content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md. ✅
• `` is placed appropriately after the intro. ✅

Suggestions (non-blocking)

1. autoResume: "true" (line 69) — Worth double-checking against the current @pulumi/snowflake schema. In recent provider versions, autoResume on snowflake.Warehouse is typed as a string in the schema (matching Snowflake's SQL semantics), but if you've verified it works as a boolean in the version you're targeting, that would be cleaner. Either way, please verify by running pulumi preview against the snippet, since readers will copy this.

2. Heading capitalization on line 54 — "Walkthrough: Warehouses, databases, and roles" capitalizes "Warehouses" after the colon. Pulumi style is sentence case for H2+, so strictly this should be "Walkthrough: warehouses, databases, and roles". Minor, but consistent with the rest of the post. Fix this →

3. Inconsistency between line 90 narrative and the code — The prose says "This allows a 'writer' role to inherit all permissions from a 'reader' role," but the GrantAccountRole on lines 90–93 sets roleName: readerRole.name with parentRoleName: writerRole.name. That grants READER to WRITER, so WRITER inherits READER's privileges — which matches the prose. ✅ Sanity-checked, no change needed; flagging only because role-grant direction is the kind of thing readers second-guess. Consider a one-line clarifying comment in the prose ("we grant READER to WRITER so WRITER inherits READER's privileges") if you want to head off confusion.

4. meta.png / feature.png — PR body notes these are placeholders and the post is labeled needs-design. No action needed from content side, but worth confirming Design is aware before the 2026-06-16 publish date.

5. Pulumi Insights example (lines 141–143) — The query type:snowflake:index/warehouse:Warehouse -name:PROD_ reads naturally as Resource Search syntax; if you want, you could link to the Resource Search docs so readers know where to run it. Optional polish.

6. Bluesky copy — "Use Pulumi plus ESC." as a standalone paragraph reads a bit terse. Not a blocker; it fits within the character budget. If you want a slightly stronger close, something like "Pulumi + ESC keeps it governed." would land harder. Subjective.

Verdict

Content is solid and the structural issues from the previous review are resolved. The two items I'd actually act on before merge are (a) verifying autoResume's type for the provider version you're targeting and (b) the sentence-case heading on line 54. Everything else is optional polish.

---

• Pull latest branch state and inspect PR diff vs origin/master
• Verify the PR is now scoped to blog-only files
• Review the blog post content for style, accuracy, and Pulumi best practices
• Verify social frontmatter paragraph formatting
• Post review
  • Branch: blog/pulumi-snowflake-warehouses-roles-esc

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/pulumi-snowflake-warehouses-roles-esc/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 1m 8s —— View job

---

Re-review

PR is now scoped exactly to the three blog files under content/blog/pulumi-snowflake-warehouses-roles-esc/ on a single commit (8ebe386). Social-review is passing (two-paragraph formatting confirmed in the YAML). Most of the previous feedback is resolved — but two of the items I'd flagged as actionable in the prior pass have not been addressed in this update.

What looks good

• Scope: PR diff is clean — index.md, feature.png, meta.png only. ✅
• Frontmatter: date: 2026-06-16, authors: pablo-seibelt, tags, meta_desc all look correct. ✅
• Social copy: Two-paragraph structure on X / LinkedIn / Bluesky — passes social-media-review. ✅
• Headings (most): H1 title case, H2/H3 sentence case throughout — except line 54 (see below).
• Code style: TypeScript snippets follow the project's hand-written constructor style. ✅
• Links: /docs/esc/ uses the full canonical path. ✅
• ESC example: fn::open::snowflake-login YAML shape still matches content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md. ✅
• `` placement after the intro is correct. ✅

Outstanding items from previous review

These two were called out in the prior pass and remain unaddressed in 8ebe386:

1. Heading on line 54 still has incorrect case — ## Walkthrough: Warehouses, databases, and roles should be ## Walkthrough: warehouses, databases, and roles (sentence case for H2+ per AGENTS.md). Everything else in the file follows the rule; this one is the lone outlier. Fix this →

2. autoResume: "true" (line 69) still passes a string — I flagged this last time as worth verifying against the @pulumi/snowflake schema you're targeting. Readers will copy the snippet, so a quick pulumi preview against the current provider would be reassuring. If the schema accepts boolean, autoResume: true is cleaner; if it requires a string, the current form is fine as-is.

Non-blocking notes (unchanged from last pass)

• meta.png / feature.png are placeholders pending Design — needs-design label is already on the PR. No content-side action needed.
• The role-grant prose on line 79 + the GrantAccountRole on lines 90–93 are consistent (READER granted to WRITER, so WRITER inherits READER's privileges). ✅
• Optional: the Resource Search query on line 142 could link to the Resource Search docs for readers unfamiliar with the syntax.

Verdict

The structural cleanup landed correctly and social-review is passing. The only must-fix before merge is the line-54 heading case. The autoResume typing is a verify-before-merge ask rather than a blocker.

---

• Pull latest branch state and verify PR diff vs origin/master
• Confirm previous content feedback addressed (heading case, autoResume, etc.) — partially: heading and autoResume items not yet applied
• Verify social frontmatter paragraph formatting
• Post review
  • Branch: blog/pulumi-snowflake-warehouses-roles-esc

[sicarul]

@claude please review again. This request is after the latest pushed head commit 8ebe3860. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/pulumi-snowflake-warehouses-roles-esc/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 1m 40s —— View job

---

Re-review

PR scope is clean — single commit 8ebe386 touching only content/blog/pulumi-snowflake-warehouses-roles-esc/{index.md,feature.png,meta.png}. Author file data/team/team/pablo-seibelt.toml resolves; social-review is passing; ESC snippet shape still matches content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md.

⚠️ Note on commit identity

The trigger comment references 8ebe3860 — that's the same head commit I reviewed in the previous pass. The file content under review here is byte-identical to the previous re-review, so the two items I flagged then are still in the file. If you pushed a fix locally and it didn't make it to the remote, the PR head is still showing the prior state.

Still outstanding from prior reviews

1. Line 54 heading case — ## Walkthrough: Warehouses, databases, and roles remains with "Warehouses" capitalized after the colon. AGENTS.md requires sentence case for H2+. This is the lone outlier in the file and a strict style-guide violation. Fix this →

2. Line 69 autoResume: "true" — still passes a string literal. Verify against the @pulumi/snowflake schema you're targeting. If boolean is accepted, autoResume: true is cleaner; if the schema requires a string, the current form is fine. Worth confirming because readers will copy this directly.

What looks good (unchanged from prior pass)

• Frontmatter: date: 2026-06-16, authors: pablo-seibelt, tags, meta_desc all check out. ✅
• Social copy: Two-paragraph structure on X / LinkedIn / Bluesky — passes social-media-review. ✅
• Code style: TypeScript snippets follow the project's hand-written constructor style. ✅
• Links: /docs/esc/ uses the full canonical path. ✅
• ESC example: fn::open::snowflake-login shape matches the integration docs. ✅
• `` placement is correct. ✅
• Role-grant prose vs. code: READER granted to WRITER — prose ("writer inherits permissions from reader") matches the code. ✅

Verdict

The PR is in good shape structurally and content-wise. The only hard blocker before merge is the line-54 heading case (style-guide violation per AGENTS.md). The autoResume typing is a verify-before-merge ask, not a blocker. feature.png / meta.png remain placeholders pending Design — the needs-design label covers that.

---

• Pull latest branch state and verify PR diff vs origin/master
• Verify previous outstanding items (heading case on line 54, autoResume typing)
• Spot-check style, frontmatter, and code samples
• Post review
  • Branch: blog/pulumi-snowflake-warehouses-roles-esc

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is 8ebe3860.

[pulumi-bot]

Claude finished @sicarul's task in 1m 10s —— View job

---

Re-review

Confirmed: head commit is 8ebe3860, PR is now in draft state, and the needs-design label has been removed. Scope remains clean (the three blog files only).

The file content is byte-identical to the prior re-review — so the two items I flagged last time are still outstanding. Calling them out below so they don't get lost when this comes out of draft.

Still outstanding from prior reviews

1. Line 54 heading case — ## Walkthrough: Warehouses, databases, and roles still has "Warehouses" capitalized after the colon. AGENTS.md requires sentence case for H2+. This is the lone outlier in the file. Fix this →

2. Line 69 autoResume: "true" — still passes a string literal. Worth verifying against the @pulumi/snowflake schema you're targeting before this comes out of draft. If boolean is accepted, autoResume: true is cleaner; if the schema requires a string, the current form is fine as-is. Readers will copy this snippet directly, so a quick pulumi preview against the current provider version would be reassuring.

What looks good (unchanged)

• Scope: PR diff is exactly content/blog/pulumi-snowflake-warehouses-roles-esc/{index.md,feature.png,meta.png} on a single commit. ✅
• Frontmatter: date: 2026-06-16, authors: pablo-seibelt, tags, meta_desc all check out. ✅
• Social copy: Two-paragraph structure on X / LinkedIn / Bluesky — passes social-media-review. ✅
• Code style: TypeScript snippets follow the project's hand-written constructor style. ✅
• Links: /docs/esc/ uses the full canonical path. ✅
• ESC example: fn::open::snowflake-login shape matches content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md. ✅
• `` placement is correct. ✅
• Role-grant prose vs. code: READER granted to WRITER — prose ("writer inherits permissions from reader") matches the code. ✅

Notes on the status changes

• Draft state: makes sense as a holding pattern while feature.png / meta.png are finalized. Content side is publish-ready once the two items above are addressed.
• needs-design removed: if Design has signed off on the current feature.png / meta.png (or confirmed they're the final assets, not placeholders), the PR body should be updated to reflect that — it currently says they're placeholders.

Verdict

Same as prior pass: line 54 heading case is the one hard style-guide blocker; autoResume typing is a verify-before-merge ask. Everything else is in good shape. Bringing this out of draft after those two items would be safe to merge from a content-review standpoint.

---

• Pull latest branch state and verify PR diff vs origin/master
• Verify draft/label status changes mentioned in request
• Re-check previous outstanding items (heading case on line 54, autoResume typing)
• Post review
  • Branch: blog/pulumi-snowflake-warehouses-roles-esc

[sicarul]

@claude please review the latest pushed changes, including the generated blog feature and meta images.

[pulumi-bot]

Claude finished @sicarul's task in 1m 54s —— View job

---

Re-review

Head is now 7fc80c2 (a clean rebase since the previous pass — earlier reviews referenced 8ebe3860). PR diff is still scoped to the three blog files under content/blog/pulumi-snowflake-warehouses-roles-esc/. Looked at the regenerated feature.png and meta.png directly.

Images

Both PNGs are properly sized (feature.png 1884×1256, meta.png 1200×628) and styled in the Pulumi purple palette — the meta card renders the title cleanly, the logo treatment is consistent with the rest of the blog.

However: both images pair the Snowflake logo with an AWS logo, and the post body never mentions AWS. The post is purely about Snowflake + Pulumi + Pulumi ESC; the ESC example uses fn::open::snowflake-login with OIDC, which is cloud-agnostic. A reader landing on the social card will expect an AWS-specific angle that the post doesn't deliver. Two options:

• Regenerate the images with a Snowflake-only variant (no AWS logo).
• Or add a short AWS section to the body — e.g., showing OIDC trust set up via an AWS-hosted Pulumi runner — so the image reflects the content.

If this was a deliberate choice (e.g., the canonical Pulumi ESC OIDC flow assumes AWS as the trust provider), worth a one-line mention in the prose to make the image legible.

Still outstanding from prior reviews

The content of index.md is byte-identical to the previous re-review (rebase only, no content edits), so these two items remain:

1. Line 54 heading case — ## Walkthrough: Warehouses, databases, and roles still capitalizes "Warehouses" after the colon. Per AGENTS.md, H2+ must be sentence case. This is the lone outlier in the file. Fix this →

2. Line 69 autoResume: "true" — still a string literal. Worth verifying against the @pulumi/snowflake schema you're targeting; if boolean is accepted, autoResume: true is cleaner, and readers will copy this snippet verbatim. A quick pulumi preview against the current provider version would confirm.

What looks good (unchanged)

• Scope: PR diff is exactly the three blog files on a single commit. ✅
• Frontmatter: date: 2026-06-16, authors: pablo-seibelt (resolves to data/team/team/pablo-seibelt.toml), tags, meta_desc all check out. ✅
• Social copy: Two-paragraph structure on X / LinkedIn / Bluesky — passes social-media-review. ✅
• Code style: TypeScript snippets follow the project's hand-written constructor style. ✅
• Links: /docs/esc/ uses the full canonical path. ✅
• ESC example: fn::open::snowflake-login shape still matches content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md. ✅
• `` placement is correct. ✅
• Role-grant prose vs. code: READER granted to WRITER — prose ("writer inherits permissions from reader") matches the code. ✅

Verdict

The regenerated images are a clear visual improvement over placeholders, but the AWS logo without any AWS content in the body is a mismatch that's worth resolving before publish. The two text-level items from prior reviews (line 54 heading case, autoResume typing) are still in the file. Once those three are addressed, this is ready to come out of draft.

---

• Pull latest branch state and verify PR diff vs origin/master
• Inspect feature.png and meta.png (newly generated)
• Re-check outstanding items (line 54 heading case, autoResume typing)
• Spot-check style, frontmatter, and code samples
• Post review
  • Branch: blog/pulumi-snowflake-warehouses-roles-esc