Config path: /<database>/<schema>/secret/<name>.yaml

Example:

type: oauth2
api_authentication: TEST_API_SECURITY_INTEGRATION
oauth_refresh_token: RjY2NjM5NzA2OWJjuE7c
oauth_refresh_token_expiry_time: "2030-01-01 00:00:00"

type: generic_string
secret_string: very secret string!

Schema

• type (str) - secret type (OAUTH2, PASSWORD, GENERIC_STRING)

• api_authentication (str) - name of Snowflake security integration

• oauth_scopes (list)

  • {items} (str) - list of scopes to use when making a request from the OAuth server

• oauth_refresh_token (str) - token that is used to obtain a new access token from the OAuth authorization server when the access token expires

• oauth_refresh_token_expiry_time (str) - timestamp when the OAuth refresh token expires

• username (str) - username value to store in the secret

• password (str) - password value to store in the secret

• secret_string (str) - string to store in the secret

• comment (str)

Usage notes

1. In order to avoid storing secrets in config files as plain text, you may use placeholders or programmatic config.

2. Security integrations are not managed by SnowDDL and should be created separately.

3. Snowflake does not return actual secret values from SHOW and DESC commands, so SnowDDL is unable to properly detect changes in config secret values. If you update any secret values in config, you should use additional CLI option --refresh-secrets to enforce update in Snowflake account.

Links

• CREATE SECRET

• SHOW SECRETS

• DESC SECRET

• Parser & JSON Schema (GitHub)