USE ROLE ACCOUNTADMIN;

CREATE USER sundaysky_service_user
TYPE = SERVICE

USE DATABASE MY_DATABASE;
CREATE OR REPLACE AUTHENTICATION POLICY sundaysky_pat_policy
AUTHENTICATION_METHODS = ('PASSWORD', 'PROGRAMMATIC_ACCESS_TOKEN')
PAT_POLICY = (
NETWORK_POLICY_EVALUATION = ENFORCED_NOT_REQUIRED
);

ALTER USER sundaysky_service_user SET AUTHENTICATION POLICY sundaysky_pat_policy;

CREATE ROLE SUNDAYSKY_READONLY;
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE SUNDAYSKY_READONLY;
GRANT USAGE ON DATABASE MY_DATABASE TO ROLE SUNDAYSKY_READONLY;
GRANT USAGE ON SCHEMA EMPLOYEE_ONBOARDING TO ROLE SUNDAYSKY_READONLY;
GRANT SELECT ON TABLE NEW_EMPLOYEES TO ROLE SUNDAYSKY_READONLY;

GRANT ROLE SUNDAYSKY_READONLY TO USER sundaysky_service_user;

ALTER USER "SUNDAYSKY_SERVICE_USER" ADD PROGRAMMATIC ACCESS TOKEN sundaysky_service_token
ROLE_RESTRICTION = 'SUNDAYSKY_READONLY'
DAYS_TO_EXPIRY = 365;