SnowDDL
  • 👋Introduction
  • 🚩Getting started
  • 📋Main features
  • 🪤SnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • 📦Object types
    • 🎭Role hierarchy
    • 🚧Permission model
    • 🔦Other guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • 💻CLI interface
    • 📦YAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷️YAML placeholders
    • 📬YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • 🦀Overview
  • Advanced usage (Python)
    • ⚙️Programmatic config
    • 🐍Architecture overview
      • 🔵Blueprints
      • 🟣Config
      • 🟠Parsers
      • 🟢Resolvers
      • 🔴Engine
    • 🏗️Query builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  • Schema
  • Policy reference parameters
  • Usage notes
  • Links
  1. Basic usage (CLI + YAML)
  2. YAML configs

USER

Config path: /user.yaml

Example:

damian_edwards:
  password: "password"
  first_name: "Damian"
  last_name: "Edwards"
  email: "damian.edwards@example.com"
  session_params:
    query_tag: "Queries from Damian"
    error_on_nondeterministic_merge: true
    statement_timeout_in_seconds: 900
  business_roles:
    - sakila_analyst
  comment: "Analyst with read access to Sakila data and full access to sandbox schema"
etl_script:
  rsa_public_key: >-
    MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
    +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
    qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
    ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
    pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
    d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
    IwIDAQAB
  business_roles:
    - etl_script

Schema

  • {key} (ident) - user name

  • {value} (dict)

    • login_name (str)

    • display_name (str)

    • first_name (str)

    • last_name (str)

    • email (str)

    • disabled (bool)

    • type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.

    • password (str)

    • rsa_public_key (str)

    • rsa_public_key_2 (str)

    • default_warehouse (ident)

    • default_namespace (str)

    • session_params (dict)

      • {key} (ident) - session param name

      • {value} (bool, float, int, str) - session param value

    • business_roles (list)

      • {items} (ident) - names of business roles

    • comment (str)

Policy reference parameters

Usage notes

  2. Changes in password will NOT be applied automatically due to lack of ability to compare current password with old password stored in Snowflake metadata. Please use --refresh-user-passwords argument to refresh passwords for all existing users, if necessary.

  4. If default_warehouse is omitted, it will be derived automatically from first warehouse mentioned in business_roles -> warehouse_usage.

  5. default_role cannot be changed. SnowDDL automatically creates USER ROLE and sets it as default_role.

  7. middle_name is not supported due to lack of this column in SHOW USERS output.

Links

PreviousTECHNICAL ROLENextVIEW

Last updated 15 days ago

authentication_policy (ident) - assign to USER

network_policy (ident) - assign to USER

password is stored as plain text, which can be ;

rsa_public_key should be passed .

default_secondary_roles are not supported on purpose. You should never need secondary roles with provided by SnowDDL.

📦
AUTHENTICATION POLICY
NETWORK POLICY
encrypted with fernet
without public key delimiters
role hierarchy
CREATE USER
ALTER USER
Parser & JSON Schema (GitHub)