SnowDDL
  • 👋Introduction
  • 🚩Getting started
  • 📋Main features
  • 🪤SnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • 📦Object types
    • 🎭Role hierarchy
    • 🚧Permission model
    • 🔦Other guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • 💻CLI interface
    • 📦YAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷️YAML placeholders
    • 📬YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • 🦀Overview
  • Advanced usage (Python)
    • ⚙️Programmatic config
    • 🐍Architecture overview
      • 🔵Blueprints
      • 🟣Config
      • 🟠Parsers
      • 🟢Resolvers
      • 🔴Engine
    • 🏗️Query builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  • Schema
  • Usage notes
  • Links
  1. Basic usage (CLI + YAML)
  2. YAML configs

SECRET

Config path: /<database>/<schema>/secret/<name>.yaml

Example:

type: oauth2
api_authentication: TEST_API_SECURITY_INTEGRATION
oauth_refresh_token: RjY2NjM5NzA2OWJjuE7c
oauth_refresh_token_expiry_time: "2030-01-01 00:00:00"
type: generic_string
secret_string: very secret string!

Schema

  • type (str) - secret type (OAUTH2, PASSWORD, GENERIC_STRING)

  • api_authentication (str) - name of Snowflake security integration

  • oauth_scopes (list)

    • {items} (str) - list of scopes to use when making a request from the OAuth server

  • oauth_refresh_token (str) - token that is used to obtain a new access token from the OAuth authorization server when the access token expires

  • oauth_refresh_token_expiry_time (str) - timestamp when the OAuth refresh token expires

  • username (str) - username value to store in the secret

  • password (str) - password value to store in the secret

  • secret_string (str) - string to store in the secret

  • algorithm (str)

  • comment (str)

Usage notes

  1. In order to avoid storing secrets in config files as plain text, you may use placeholders or programmatic config.

  2. Security integrations are not managed by SnowDDL and should be created separately.

  3. Snowflake does not return actual secret values from SHOW and DESC commands, so SnowDDL is unable to properly detect changes in config secret values. If you update any secret values in config, you should use additional CLI option --refresh-secrets to enforce update in Snowflake account.

Links

  • CREATE SECRET

  • SHOW SECRETS

  • DESC SECRET

  • Parser & JSON Schema (GitHub)

PreviousSCHEMANextSEQUENCE

Last updated 5 hours ago

📦