search

USER

Config path: /user.yaml

Example:

damian_edwards:
  password: "password"
  first_name: "Damian"
  last_name: "Edwards"
  email: "[email protected]"
  session_params:
    query_tag: "Queries from Damian"
    error_on_nondeterministic_merge: true
    statement_timeout_in_seconds: 900
  business_roles:
    - sakila_analyst
  comment: "Analyst with read access to Sakila data and full access to sandbox schema"
etl_script:
  rsa_public_key: >-
    MIIBIjANBgkqhkiG1a0BAQEFAAOCAQ8AMIIBCgKCAQEAx4INStnNQshPamlDe5te
    +sF/J3zbY9BCMgcl/B11NndFRuXZjKBAyVJyJdjm2XpHGyJZrpIf1kBVJbfxpNSi
    qN/VLMm1nsqtEnLJsvHWT4AyJ8GG1ahYY34ody9SjLTCisSRpjzh7ZLajbyNtwbH
    ukOCAhy1R7RzyEmuqz3rRmnx0MUb+1wdSYfMAnVwxT11otmClhXVe3Hj9hdNmljk
    pw2rezWlKyeywkDpvh00/tuIFdCJD2gWcb3rAUC3e9iR6RJ4o/LFIEBlyktUPOqF
    d4A3+Wp/pkTiYUh2GvjHTZrGViZXBPRjciP+6ktLMuXP4bW2DeS1xEYIUeYhxaNI
    IwIDAQAB
  business_roles:
    - etl_script

hashtag
Schema

  • {key} (ident) - user name

  • {value} (dict)

    • login_name (str)

    • display_name (str)

    • first_name (str)

    • last_name (str)

    • email (str)

    • disabled (bool)

    • type (str) - user type for security: PERSON, SERVICE, LEGACY_SERVICE, etc.

    • password (str)

    • rsa_public_key (str)

    • rsa_public_key_2 (str)

    • default_warehouse (ident)

    • default_namespace (str)

    • session_params (dict)

      • {key} (ident) - session param name

      • {value} (bool, float, int, str) - session param value

    • workload_identity (dict)

      • {key} (ident) - workload identity param name

      • {value} (array, bool, float, int, str) - workload identity param value

    • business_roles (list)

      • {items} (ident) - names of business roles

    • comment (str)

hashtag
Policy reference parameters

hashtag
Usage notes

  1. password is stored as plain text, which can be encrypted with fernet;

  2. Changes in password will NOT be applied automatically due to lack of ability to compare current password in config with existing password stored in Snowflake metadata. Please use --refresh-user-passwords argument to refresh passwords for all existing users, if necessary.

  3. rsa_public_key should be passed without public key delimitersarrow-up-right.

  4. If default_warehouse is omitted, it will be derived automatically from first warehouse mentioned in business_roles -> warehouse_usage.

  5. default_role cannot be changed. SnowDDL automatically creates USER ROLE and sets it as default_role.

  6. default_secondary_roles are not supported on purpose. You should never need secondary roles with role hierarchy provided by SnowDDL.

  7. middle_name is not supported due to lack of this column in SHOW USERS output.

  8. As of December 2025, Snowflake has a bug related to changing authentication policy attached to user. SnowDDL generates correct SQL, but sometimes user may end up without authentication policy after its execution. You should report this bug to Snowflake and run SnowDDL again to make sure the new policy is being correctly attached.

hashtag
Workload Identity Usage Notes

  1. Changes in workload_identity will NOT be applied automatically due to lack of ability to compare current values in config with existing values stored in Snowflake metadata. Please use --refresh-workload-identity argument to refresh passwords for all existing users, if necessary.

  2. Snowflake uses combination of ISSUER and SUBJECT fields as unique key. It is not possible to create more than one user with the same values. It causes problems for env prefix. In order to mitigate these problems, SnowDDL adds env prefix value to the end of SUBJECT , like this: <SUBJECT>:ENV_PREFIX.

hashtag
Links

PreviousTECHNICAL ROLENextVIEW

Last updated