USER

Config path: /user.yaml

Example:

damian_edwards:
  password: "password"
  first_name: "Damian"
  last_name: "Edwards"
  email: "[email protected]"
  session_params:
    query_tag: "Queries from Damian"
    error_on_nondeterministic_merge: true
    statement_timeout_in_seconds: 900
  business_roles:
    - sakila_analyst
  comment: "Analyst with read access to Sakila data and full access to sandbox schema"

etl_script:
  rsa_public_key: >-
    MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
    +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
    qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
    ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
    pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
    d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
    IwIDAQAB
  business_roles:
    - etl_script

Schema

• {key} (ident) - user name

• {value} (dict)

  • login_name (str)

  • display_name (str)

  • first_name (str)

  • last_name (str)

  • email (str)

  • disabled (bool)

  • type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.

  • password (str)

  • rsa_public_key (str)

  • rsa_public_key_2 (str)

  • default_warehouse (ident)

  • default_namespace (str)

  • session_params (dict)

    • {key} (ident) - session param name

    • {value} (bool, float, int, str) - session param value

  • business_roles (list)

    • {items} (ident) - names of business roles

  • comment (str)

Policy reference parameters

• authentication_policy (ident) - assign AUTHENTICATION POLICY to USER

• network_policy (ident) - assign NETWORK POLICY to USER

Usage notes

1. password is stored as plain text, which can be encrypted with fernet;

2. Changes in password will NOT be applied automatically due to lack of ability to compare current password with old password stored in Snowflake metadata. Please use --refresh-user-passwords argument to refresh passwords for all existing users, if necessary.

3. rsa_public_key should be passed without public key delimiters.

4. If default_warehouse is omitted, it will be derived automatically from first warehouse mentioned in business_roles -> warehouse_usage.

5. default_role cannot be changed. SnowDDL automatically creates USER ROLE and sets it as default_role.

6. default_secondary_roles are not supported on purpose. You should never need secondary roles with role hierarchy provided by SnowDDL.

7. middle_name is not supported due to lack of this column in SHOW USERS output.

Links

• CREATE USER

• ALTER USER

• Parser & JSON Schema (GitHub)