From 5c6ff19e36ebfecbc4e215b72fda4c0f58ea04a6 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Mon, 28 Jul 2025 18:29:01 +0200 Subject: [PATCH] fix(snowflake): ajdust commands again --- knowledge base/snowflake/README.md | 28 +++++++++++++++++++++++++++- snippets/snowflake.sql | 12 ++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/knowledge base/snowflake/README.md b/knowledge base/snowflake/README.md index a5b37f8..f7626fe 100644 --- a/knowledge base/snowflake/README.md +++ b/knowledge base/snowflake/README.md @@ -274,13 +274,24 @@ Users can only be created by those with (or): Add users to the account executing a SQL Query by means of Snowflake's web UI found in the `Account` section. +Service users are users with `TYPE=SERVICE`.
+Users have accepted attributes depending on their type. Incompatible properties will be stored, but kept disabled.
+Changing the user type could reenable the now compatible, disabled, properties. + +Assess a user's type with the `DESCRIBE USER` command, or by querying the `snowflake.account_usage.users` table. + ```sql -- List users SHOW USERS; +SHOW USERS LIKE 'BILLY'; SHOW USERS LIKE '%john%'; +-- List service users +-- requires running in a warehouse +SELECT LOGIN_NAME FROM snowflake.account_usage.users WHERE TYPE = 'SERVICE'; -- Get information about users DESC USER zoe; +DESCRIBE USER william; -- Create users CREATE USER alice; @@ -288,11 +299,15 @@ CREATE USER IF NOT EXISTS bob; CREATE OR REPLACE USER claude LOGIN_NAME='CLAUDE@EXAMPLE.ORG' DISPLAY_NAME='Claude' EMAIL='claude@example.org' PASSWORD='somePassword' MUST_CHANGE_PASSWORD=TRUE; +-- Create service users by specifying TYPE = SERVICE +-- Default resources do *not* need to exist beforehand, but *will* be used on login +CREATE USER IF NOT EXISTS some_service TYPE = SERVICE + DEFAULT_ROLE = some_service_role DEFAULT_WAREHOUSE = dev_wh DEFAULT_NAMESPACE = dev_db.dev_schema; ``` Prefer setting a `DEFAULT_WAREHOUSE` and `DEFAULT_ROLE` for users, specially if they use non-Snowflake client tools. -Remember to `GRANT ROLE a=Access` after creating a user.
+Remember to `GRANT ROLE` after creating a user.
Snowflake does **not** offer access to a user's default role automatically. After a user is created, one **must** provide that user access to its default role.
If a user can't access their default role, they won't be able to log in. @@ -307,6 +322,17 @@ When using SSO: Setting up a password gives the user the option of selecting what method to use to login. This is required by tools that do not support logging in via SSO. +Change users to service users: + +```sql +ALTER USER my_service_user SET TYPE = SERVICE; +ALTER USER my_service_user UNSET PASSWORD; +ALTER USER my_service_user UNSET FIRST_NAME; +ALTER USER my_service_user UNSET MIDDLE_NAME; +ALTER USER my_service_user UNSET LAST_NAME; +ALTER USER my_service_user SET DISABLE_MFA = TRUE; +``` + ## Virtual warehouses Dedicated, independent clusters of compute resources in Snowflake. diff --git a/snippets/snowflake.sql b/snippets/snowflake.sql index 796db16..387b0c9 100644 --- a/snippets/snowflake.sql +++ b/snippets/snowflake.sql @@ -157,3 +157,15 @@ ALTER USER data_service_user SET NETWORK_POLICY=allow_all_net_policy; -- 4. create pat ALTER USER data_service_user ADD PROGRAMMATIC ACCESS TOKEN data_service_pat ROLE_RESTRICTION='DATA_SERVICE_ROLE' DAYS_TO_EXPIRY=90 COMMENT='Test PAT'; + + +-- ----------------- +-- change users to service users +-- ----------------- + +ALTER USER my_service_user SET TYPE = SERVICE; +ALTER USER my_service_user UNSET PASSWORD; +ALTER USER my_service_user UNSET FIRST_NAME; +ALTER USER my_service_user UNSET MIDDLE_NAME; +ALTER USER my_service_user UNSET LAST_NAME; +ALTER USER my_service_user SET DISABLE_MFA = TRUE;