USER
Config path: /user.yaml
Example:
damian_edwards:
password: "password"
first_name: "Damian"
last_name: "Edwards"
email: "[email protected]"
session_params:
query_tag: "Queries from Damian"
error_on_nondeterministic_merge: true
statement_timeout_in_seconds: 900
business_roles:
- sakila_analyst
comment: "Analyst with read access to Sakila data and full access to sandbox schema"
etl_script:
rsa_public_key: >-
MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
+sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
IwIDAQAB
business_roles:
- etl_script
Schema
{key} (ident) - user name
{value} (dict)
login_name (str)
display_name (str)
first_name (str)
last_name (str)
email (str)
disabled (bool)
type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.
password (str)
rsa_public_key (str)
rsa_public_key_2 (str)
default_warehouse (ident)
default_namespace (str)
session_params (dict)
{key} (ident) - session param name
{value} (bool, float, int, str) - session param value
workload_identity (dict)
{key} (ident) - workload identity param name
{value} (array, bool, float, int, str) - workload identity param value
business_roles (list)
{items} (ident) - names of business roles
comment (str)
Policy reference parameters
authentication_policy (ident) - assign AUTHENTICATION POLICY to USER
network_policy (ident) - assign NETWORK POLICY to USER
Usage notes
password
is stored as plain text, which can be encrypted with fernet;Changes in
password
will NOT be applied automatically due to lack of ability to compare current password in config with existing password stored in Snowflake metadata. Please use--refresh-user-passwords
argument to refresh passwords for all existing users, if necessary.rsa_public_key
should be passed without public key delimiters.If
default_warehouse
is omitted, it will be derived automatically from first warehouse mentioned inbusiness_roles -> warehouse_usage
.default_role
cannot be changed. SnowDDL automatically creates USER ROLE and sets it asdefault_role
.default_secondary_roles
are not supported on purpose. You should never need secondary roles with role hierarchy provided by SnowDDL.middle_name
is not supported due to lack of this column inSHOW USERS
output.
Workload Identity Usage Notes
Changes in
workload_identity
will NOT be applied automatically due to lack of ability to compare current values in config with existing values stored in Snowflake metadata. Please use--refresh-workload-identity
argument to refresh passwords for all existing users, if necessary.Snowflake uses combination of
ISSUER
andSUBJECT
fields as unique key. It is not possible to create more than one user with the same values. It causes problems for env prefix. In order to mitigate these problems, SnowDDL adds env prefix value to the end ofSUBJECT
, like this:<SUBJECT>:ENV_PREFIX
.
Links
Last updated