# CLI interface The easiest way to use SnowDDL is to create and apply YAML configs with CLI interface. SnowDDL registers `snowddl` CLI entry-point using [setuptools](https://setuptools.pypa.io/en/latest/userguide/entry_point.html). It should be available in your terminal immediately after installation. ## Quick help ``` usage: snowddl [-h] [-c CONFIG_PATH] [-a ACCOUNT] [-u USER] [-p PASSWORD] [-k PRIVATE_KEY] [-r ROLE] [-w WAREHOUSE] [--authenticator AUTHENTICATOR] [--passphrase PASSPHRASE] [--env-prefix ENV_PREFIX] [--env-prefix-separator {__,_,$}] [--env-admin-role ENV_ADMIN_ROLE] [--max-workers MAX_WORKERS] [--query-tag QUERY_TAG] [--log-level LOG_LEVEL] [--show-sql] [--show-timers] [--show-unused-files] [--placeholder-path] [--placeholder-values] [--exclude-object-types] [--include-object-types] [--apply-unsafe] [--apply-replace-table] [--apply-all-policy] [--apply-account-level-policy] [--apply-aggregation-policy] [--apply-authentication-policy] [--apply-masking-policy] [--apply-projection-policy] [--apply-row-access-policy] [--apply-account-params] [--apply-network-policy] [--apply-resource-monitor] [--apply-outbound-share] [--refresh-user-passwords] [--refresh-future-grants] [--refresh-stage-encryption] [--refresh-secrets] [--clone-table] [--destroy-without-prefix] {plan,apply,destroy,validate} ... Object management automation tool for Snowflake positional arguments: {plan,apply,destroy,validate} plan Resolve objects, apply nothing, display suggested changes apply Resolve objects, apply safe changes, display suggested unsafe changes destroy Drop objects with specified --env-prefix, use it to reset dev and test environments validate Validate config only, do not connect to Snowflake options: -h, --help show this help message and exit -c CONFIG_PATH Path to config directory OR name of bundled test config (default: current directory) -a ACCOUNT Snowflake account identifier (default: SNOWFLAKE_ACCOUNT env variable) -u USER Snowflake user name (default: SNOWFLAKE_USER env variable) -p PASSWORD Snowflake user password (default: SNOWFLAKE_PASSWORD env variable) -k PRIVATE_KEY Path to private key file (default: SNOWFLAKE_PRIVATE_KEY_PATH env variable) -r ROLE Snowflake active role (default: SNOWFLAKE_ROLE env variable) -w WAREHOUSE Snowflake active warehouse (default: SNOWFLAKE_WAREHOUSE env variable) --authenticator AUTHENTICATOR Authenticator: snowflake, externalbrowser, oauth, oauth_snowpark, workload_identity (default: SNOWFLAKE_AUTHENTICATOR env variable or 'snowflake') --oauth-token OAUTH_TOKEN Oauth access token (default: SNOWFLAKE_OAUTH_TOKEN env variable) --workload-identity-token Workload identity token (default: SNOWFLAKE_WORKLOAD_IDENTITY_TOKEN env variable) --workload-identity-provider Workload identity provider (default: SNOWFLAKE_WORKLOAD_IDENTITY_PROVIDER env variable) --passphrase PASSPHRASE Passphrase for private key file (default: SNOWFLAKE_PRIVATE_KEY_PASSPHRASE env variable) --env-prefix ENV_PREFIX Env prefix added to global object names, used to separate environments (e.g. DEV, PROD) --env-prefix-separator {__,_,$} Custom separator for Env prefix (supported values are: '__', '_', '$') --env-admin-role ENV_ADMIN_ROLE Super administration role which should inherit env prefixed SnowDDL role --max-workers MAX_WORKERS Maximum number of workers to resolve objects in parallel --query-tag QUERY_TAG Add QUERY_TAG to all queries produced by SnowDDL --log-level LOG_LEVEL Log level (possible values: DEBUG, INFO, WARNING; default: INFO) --show-sql Show executed DDL queries --show-timers Show debug timers --show-unused-files Show warnings for unused config files --placeholder-path Path to config file with environment-specific placeholders --placeholder-values Environment-specific placeholder values in JSON format --exclude-object-types Comma-separated list of object types NOT to resolve --include-object-types Comma-separated list of object types TO resolve, all other types are excluded --apply-unsafe Additionally apply unsafe changes, which may cause loss of data (ALTER, DROP, etc.) --apply-replace-table Additionally apply REPLACE TABLE when ALTER TABLE is not possible --apply-all-policy Additionally apply changes for all types of policies --apply-account-level-policy Additionally apply changes for ACCOUNT-level policies --apply-aggregation-policy Additionally apply changes to AGGREGATION POLICIES --apply-authentication-policy Additionally apply changes to AUTHENTICATION POLICIES --apply-masking-policy Additionally apply changes to MASKING POLICIES --apply-projection-policy Additionally apply changes to PROJECTION POLICIES --apply-row-access-policy Additionally apply changes to ROW ACCESS POLICIES --apply-account-params Additionally apply changes to ACCOUNT PARAMETERS --apply-network-policy Additionally apply changes to NETWORK POLICIES --apply-resource-monitor Additionally apply changes to RESOURCE MONITORS --apply-outbound-share Additionally apply changes to OUTBOUND SHARES --refresh-user-passwords Additionally refresh passwords of users --refresh-workload-identity Additionally refresh workload identites of users --refresh-future-grants Additionally refresh missing grants for existing objects derived from future grants --refresh-stage-encryption Additionally refresh stage encryption parameters for existing external stages --refresh-secrets Additionally refresh secrets --clone-table Clone all tables from source databases to destination databases (with env_prefix) --clone-source-env-prefix Clone from another environment with different env_prefix --destroy-without-prefix Allow {destroy} action without --env-prefix ``` ### Usage notes * Action argument is mandatory: * Use **plan** action to preview changes. * Use **apply** action to apply OR suggest changes, depending on other settings. * Use **destroy** action to drop all objects created by SnowDDL previously. * Use **validate** action to validate the declared config only without connecting to Snowflake. * SnowDDL provides [a few bundled configs](https://github.com/littleK0i/snowddl/tree/master/snowddl/_config/) for testing and demonstration purposes. You may use such config by passing its name to **-c** argument. * [Account identifier](https://docs.snowflake.com/en/user-guide/admin-account-identifier.html) should be passed to **-a** argument without `.snowflakecomputing.com`. * You may use password OR private key for authentication. Private key is recommended for production environment. * Object types for `--include` and `--exclude` arguments can be found [here](/basic/yaml-configs.md). * Suggested & optionally executed DDL queries are outputted to `STDOUT`. Logs are outputted to `STDERR`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.snowddl.com/basic/cli.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.