# USER

Config path: `/user.yaml`

Example:

```yaml
damian_edwards:
  password: "password"
  first_name: "Damian"
  last_name: "Edwards"
  email: "damian.edwards@example.com"
  session_params:
    query_tag: "Queries from Damian"
    error_on_nondeterministic_merge: true
    statement_timeout_in_seconds: 900
  business_roles:
    - sakila_analyst
  comment: "Analyst with read access to Sakila data and full access to sandbox schema"
```

```yaml
etl_script:
  rsa_public_key: >-
    MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
    +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
    qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
    ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
    pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
    d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
    IwIDAQAB
  business_roles:
    - etl_script
```

## Schema

* *{key}* (ident) - user name
* *{value}* (dict)
  * **login\_name** (str)
  * **display\_name** (str)
  * **first\_name** (str)
  * **last\_name** (str)
  * **email** (str)
  * **disabled** (bool)
  * **type** (str) - user type for security: PERSON, SERVICE, LEGACY\_SERVICE, etc.
  * **password** (str)
  * **rsa\_public\_key** (str)
  * **rsa\_public\_key\_2** (str)
  * **default\_warehouse** (ident)
  * **default\_namespace** (str)
  * **session\_params** (dict)
    * *{key}* (ident) - session param name
    * *{value}* (bool, float, int, str) - session param value
  * **workload\_identity** (dict)
    * *{key}* (ident) - workload identity param name
    * *{value}* (array, bool, float, int, str) - workload identity param value
  * **business\_roles** (list)
    * *{items}* (ident) - names of business roles
  * **comment** (str)

## Policy reference parameters

* **authentication\_policy** (ident) - assign [AUTHENTICATION POLICY](/basic/yaml-configs/authentication-policy.md) to USER
* **network\_policy** (ident) - assign [NETWORK POLICY](/basic/yaml-configs/network-policy.md) to USER

## Usage notes

1. `password` is stored as plain text, which can be [encrypted with fernet](/guides/other-guides/encrypt-user-passwords.md);
2. Changes in `password` will NOT be applied automatically due to lack of ability to compare current password in config with existing password stored in Snowflake metadata. Please use `--refresh-user-passwords` argument to refresh passwords for all existing users, if necessary.
3. `rsa_public_key` should be passed [without public key delimiters](https://docs.snowflake.com/en/user-guide/key-pair-auth.html#step-4-assign-the-public-key-to-a-snowflake-user).
4. If `default_warehouse` is omitted, it will be derived automatically from first warehouse mentioned in `business_roles -> warehouse_usage`.
5. `default_role` cannot be changed. SnowDDL automatically creates USER ROLE and sets it as `default_role`.
6. `default_secondary_roles` are not supported on purpose. You should never need secondary roles with [role hierarchy](/guides/role-hierarchy.md) provided by SnowDDL.
7. `middle_name` is not supported due to lack of this column in `SHOW USERS` output.
8. As of December 2025, Snowflake has a bug related to changing authentication policy attached to user. SnowDDL generates correct SQL, but sometimes user may end up without authentication policy after its execution. You should report this bug to Snowflake and run SnowDDL again to make sure the new policy is being correctly attached.

### Workload Identity Usage Notes

1. Changes in `workload_identity` will NOT be applied automatically due to lack of ability to compare current values in config with existing values stored in Snowflake metadata. Please use `--refresh-workload-identity` argument to refresh passwords for all existing users, if necessary.
2. Snowflake uses combination of `ISSUER` and `SUBJECT` fields as unique key. It is not possible to create more than one user with the same values. It causes problems for [env prefix](/guides/other-guides/env-prefix.md). In order to mitigate these problems, SnowDDL adds env prefix value to the end of `SUBJECT` , like this: `<SUBJECT>:ENV_PREFIX`.

## &#x20;Links

* [CREATE USER](https://docs.snowflake.com/en/sql-reference/sql/create-user.html)
* [ALTER USER](https://docs.snowflake.com/en/sql-reference/sql/alter-user.html)
* [Parser & JSON Schema (GitHub)](https://github.com/littleK0i/SnowDDL/blob/master/snowddl/parser/user.py)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.snowddl.com/basic/yaml-configs/user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.