USER

Config path: /user.yaml

Example:

damian_edwards:
  password: "password"
  first_name: "Damian"
  last_name: "Edwards"
  email: "damian.edwards@example.com"
  session_params:
    query_tag: "Queries from Damian"
    error_on_nondeterministic_merge: true
    statement_timeout_in_seconds: 900
  business_roles:
    - sakila_analyst
  comment: "Analyst with read access to Sakila data and full access to sandbox schema"

etl_script:
  rsa_public_key: >-
    MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
    +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
    qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
    ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
    pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
    d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
    IwIDAQAB
  business_roles:
    - etl_script

Schema

{key} (ident) - user name
{value} (dict)
- login_name (str)
- display_name (str)
- first_name (str)
- last_name (str)
- email (str)
- disabled (bool)
- type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.
- password (str)
- rsa_public_key (str)
- rsa_public_key_2 (str)
- default_warehouse (ident)
- default_namespace (str)
- session_params (dict)
  - {key} (ident) - session param name
  - {value} (bool, float, int, str) - session param value
- business_roles (list)
  - {items} (ident) - names of business roles
- comment (str)

Policy reference parameters

authentication_policy (ident) - assign AUTHENTICATION POLICY to USER
network_policy (ident) - assign NETWORK POLICY to USER

Usage notes

password is stored as plain text, which can be encrypted with fernet;
Changes in password will NOT be applied automatically due to lack of ability to compare current password with old password stored in Snowflake metadata. Please use --refresh-user-passwords argument to refresh passwords for all existing users, if necessary.
rsa_public_key should be passed without public key delimiters.
If default_warehouse is omitted, it will be derived automatically from first warehouse mentioned in business_roles -> warehouse_usage.
default_role cannot be changed. SnowDDL automatically creates USER ROLE and sets it as default_role.
default_secondary_roles are not supported on purpose. You should never need secondary roles with role hierarchy provided by SnowDDL.
middle_name is not supported due to lack of this column in SHOW USERS output.

Links

PreviousTECHNICAL ROLE NextVIEW

Last updated 2 months ago

damian_edwards: password: "password" first_name: "Damian" last_name: "Edwards" email: "damian.edwards@example.com" session_params: query_tag: "Queries from Damian" error_on_nondeterministic_merge: true statement_timeout_in_seconds: 900 business_roles: - sakila_analyst comment: "Analyst with read access to Sakila data and full access to sandbox schema"

etl_script: rsa_public_key: >- MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI IwIDAQAB business_roles: - etl_script

Schema

{key} (ident) - user name

{value} (dict)

login_name (str)
display_name (str)
first_name (str)
last_name (str)
email (str)
disabled (bool)
type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.
password (str)
rsa_public_key (str)
rsa_public_key_2 (str)
default_warehouse (ident)
default_namespace (str)
session_params (dict)
- {key} (ident) - session param name
- {value} (bool, float, int, str) - session param value
business_roles (list)
- {items} (ident) - names of business roles
comment (str)

Usage notes

password is stored as plain text, which can be encrypted with fernet;

Changes in password will NOT be applied automatically due to lack of ability to compare current password with old password stored in Snowflake metadata. Please use --refresh-user-passwords argument to refresh passwords for all existing users, if necessary.

rsa_public_key should be passed without public key delimiters.

If default_warehouse is omitted, it will be derived automatically from first warehouse mentioned in business_roles -> warehouse_usage.

default_role cannot be changed. SnowDDL automatically creates USER ROLE and sets it as default_role.

default_secondary_roles are not supported on purpose. You should never need secondary roles with role hierarchy provided by SnowDDL.

middle_name is not supported due to lack of this column in SHOW USERS output.