# SECRET

Config path: `/<database>/<schema>/secret/<name>.yaml`

Example:

```yaml
type: oauth2
api_authentication: TEST_API_SECURITY_INTEGRATION
oauth_refresh_token: RjY2NjM5NzA2OWJjuE7c
oauth_refresh_token_expiry_time: "2030-01-01 00:00:00"
```

```yaml
type: generic_string
secret_string: very secret string!
```

## Schema

* <mark style="background-color:red;">**type**</mark> (str) - secret type (`OAUTH2`, `PASSWORD`, `GENERIC_STRING`)
* **api\_authentication** (str) - name of Snowflake [security integration](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration)&#x20;
* **oauth\_scopes** (list)
  * *{items}* (str) - list of scopes to use when making a request from the OAuth server
* **oauth\_refresh\_token** (str) - token that is used to obtain a new access token from the OAuth authorization server when the access token expires
* **oauth\_refresh\_token\_expiry\_time** (str) - timestamp when the OAuth refresh token expires
* **username** (str) - username value to store in the secret
* **password** (str) - password value to store in the secret
* **secret\_string** (str) - string to store in the secret
* **algorithm** (str)
* **comment** (str)

## Usage notes

1. In order to avoid storing secrets in config files as plain text, you may use [placeholders](/basic/yaml-placeholders.md) or [programmatic config](/advanced/programmatic-config.md).
2. Security integrations are not managed by SnowDDL and should be [created separately](/guides/other-guides/integrations.md).
3. Snowflake does not return actual secret values from `SHOW` and `DESC` commands, so SnowDDL is unable to properly detect changes in config secret values. If you update any secret values in config, you should use additional CLI option `--refresh-secrets` to enforce update in Snowflake account.

## Links

* [CREATE SECRET](https://docs.snowflake.com/en/sql-reference/sql/create-secret)
* [SHOW SECRETS](https://docs.snowflake.com/en/sql-reference/sql/show-secrets)
* [DESC SECRET](https://docs.snowflake.com/en/sql-reference/sql/desc-secret)
* [Parser & JSON Schema (GitHub)](https://github.com/littleK0i/SnowDDL/blob/master/snowddl/parser/secret.py)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.snowddl.com/basic/yaml-configs/secret.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.