From 8c76ce688b634f065389d97368e4dd3fad89613d Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Mon, 28 Jul 2025 18:03:35 +0200
Subject: [PATCH] fix(snowflake): ajdust commands

---
 knowledge base/snowflake/README.md | 43 ++++++++++++++++++++++------
 snippets/snowflake.sql             | 46 +++++++++++++++++++++++-------
 2 files changed, 71 insertions(+), 18 deletions(-)

diff --git a/knowledge base/snowflake/README.md b/knowledge base/snowflake/README.md
index 0401b8e..b694b76 100644
--- a/knowledge base/snowflake/README.md	
+++ b/knowledge base/snowflake/README.md	
@@ -65,6 +65,9 @@ SHOW AUTHENTICATION POLICIES;
 -- Create authentication policies
 CREATE AUTHENTICATION POLICY allow_pats_policy AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN');
 
+-- Delete authentication policies
+DROP AUTHENTICATION POLICY allow_pats_policy;
+
 
 -- List network policies
 SHOW NETWORK POLICIES;
@@ -72,6 +75,9 @@ SHOW NETWORK POLICIES;
 -- Create network policies
 CREATE NETWORK POLICY IF NOT EXISTS allow_all_net_policy ALLOWED_IP_LIST = ('0.0.0.0/0');
 
+-- Delete network policies
+DROP NETWORK POLICY allow_all_net_policy;
+
 
 -- List warehouses
 SHOW WAREHOUSES;
@@ -91,6 +97,9 @@ DROP DATABASE IF EXISTS tuts_db;
 SHOW ROLES;
 SHOW ROLES LIKE '%DATA%';
 
+-- Get information about users
+DESC ROLE some_service_role;
+
 -- Create roles
 CREATE ROLE IF NOT EXISTS some_service_role;
 
@@ -119,6 +128,7 @@ CREATE USER IF NOT EXISTS bob;
 CREATE OR REPLACE USER claude
   PASSWORD='somePassword' DISPLAY_NAME='Claude' EMAIL='claude@example.org'
   LOGIN_NAME='CLAUDE@EXAMPLE.ORG' MUST_CHANGE_PASSWORD=TRUE;
+-- Create service users by specifying TYPE = SERVICE
 -- Default resources do *not* need to exist beforehand, but *will* be used on login
 CREATE USER IF NOT EXISTS data_service TYPE='SERVICE'
   DEFAULT_ROLE='data_service_role' DEFAULT_WAREHOUSE='dev_wh' DEFAULT_NAMESPACE='dev_db.dev_schema';
@@ -138,14 +148,31 @@ GRANT USAGE ON WAREHOUSE COMPUTE_WH TO USER mike;
 -- Assign policies to users
 ALTER USER some_service SET AUTHENTICATION POLICY allow_pats_policy;
 ALTER USER some_service SET NETWORK_POLICY = allow_all_net_policy;
--- Create PATs for users
 
-ALTER USER some_service ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
-  ROLE_RESTRICTION = 'SOME_SERVICE_ROLE'  -- roles here must be referred to in uppercase
-  DAYS_TO_EXPIRY = 90
-  COMMENT = 'PAT for some_service';
+-- List PATs for users
+SHOW USER PROGRAMMATIC ACCESS TOKENS FOR USER some_service_user;
 
--- Reset password
+-- Generate PATs for users
+ALTER USER some_service_user ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
+  ROLE_RESTRICTION='SOME_SERVICE_ROLE'  -- Uppercase. Required for SERVICE users. Sets the role for the token.
+  DAYS_TO_EXPIRY=365                    -- 1 <= X <= 365. Cannot be modified later.
+  MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT=3  -- Optional
+  COMMENT='Some comment';
+
+-- Rotate PATs for users
+ALTER USER some_service_user ROTATE PROGRAMMATIC ACCESS TOKEN some_service_pat;
+
+-- Rename PATs for users
+ALTER USER some_service_user MODIFY PROGRAMMATIC ACCESS TOKEN some_service_pat
+  RENAME TO some_service_pat_new COMMENT = 'new name';
+
+-- Disable PATs for users
+ALTER USER some_service_user MODIFY PROGRAMMATIC ACCESS TOKEN some_service_pat SET DISABLED = TRUE;
+
+-- Delete PATs for users
+ALTER USER some_service_user REMOVE PROGRAMMATIC ACCESS TOKEN some_service_pat;
+
+-- Reset passwords
 ALTER USER IF EXISTS elijah RESET PASSWORD;
 
 -- Disable MFA
@@ -376,8 +403,8 @@ SHOW USER PROGRAMMATIC ACCESS TOKENS FOR USER <username>;
 
 -- Generate
 ALTER USER <username> ADD PROGRAMMATIC ACCESS TOKEN <token_name>
-  ROLE_RESTRICTION = '<role_name>'        -- Required for SERVICE users. Fixes the role the token can operate under.
-  DAYS_TO_EXPIRY = <integer>              -- 1 <= X <= 365. Cannot be modified later.
+  ROLE_RESTRICTION = '<role_name>'  -- Uppercase. Required for SERVICE users. Sets the role the token can operate under.
+  DAYS_TO_EXPIRY = <integer>        -- 1 <= X <= 365. Cannot be modified later.
   MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT = <integer>  -- Optional
   COMMENT = '<optional comment>';
 
diff --git a/snippets/snowflake.sql b/snippets/snowflake.sql
index 97133c6..adff219 100644
--- a/snippets/snowflake.sql
+++ b/snippets/snowflake.sql
@@ -4,6 +4,9 @@ SHOW AUTHENTICATION POLICIES;
 -- Create authentication policies
 CREATE AUTHENTICATION POLICY allow_pats_policy AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN');
 
+-- Delete authentication policies
+DROP AUTHENTICATION POLICY allow_pats_policy;
+
 
 -- List network policies
 SHOW NETWORK POLICIES;
@@ -11,6 +14,9 @@ SHOW NETWORK POLICIES;
 -- Create network policies
 CREATE NETWORK POLICY IF NOT EXISTS allow_all_net_policy ALLOWED_IP_LIST = ('0.0.0.0/0');
 
+-- Delete network policies
+DROP NETWORK POLICY allow_all_net_policy;
+
 
 -- List warehouses
 SHOW WAREHOUSES;
@@ -30,6 +36,9 @@ DROP DATABASE IF EXISTS sf_tuts;
 SHOW ROLES;
 SHOW ROLES LIKE '%DATA%';
 
+-- Get information about users
+DESC ROLE some_service_role;
+
 -- Create roles
 CREATE ROLE IF NOT EXISTS some_service_role;
 
@@ -58,7 +67,7 @@ CREATE USER IF NOT EXISTS bob;
 CREATE OR REPLACE USER claude
   LOGIN_NAME='CLAUDE@EXAMPLE.ORG' DISPLAY_NAME='Claude' EMAIL='claude@example.org'
   PASSWORD='somePassword' MUST_CHANGE_PASSWORD=TRUE;
--- Create service users
+-- Create service users by specifying TYPE = SERVICE
 -- Default resources do *not* need to exist beforehand, but *will* be used on login
 CREATE USER IF NOT EXISTS some_service TYPE = SERVICE
   DEFAULT_ROLE = some_service_role DEFAULT_WAREHOUSE = dev_wh DEFAULT_NAMESPACE = dev_db.dev_schema;
@@ -72,20 +81,37 @@ SHOW GRANTS TO USER CLAUDE;
 SHOW GRANTS ON USER CLAUDE;
 
 -- Grant permissions to users
-GRANT ROLE some_service_role TO USER some_service;
+GRANT ROLE some_service_role TO USER some_service_user;
 GRANT USAGE ON WAREHOUSE COMPUTE_WH TO USER mike;
 
 -- Assign policies to users
-ALTER USER some_service SET AUTHENTICATION POLICY allow_pats_policy;
-ALTER USER some_service SET NETWORK_POLICY = allow_all_net_policy;
+ALTER USER some_service_user SET AUTHENTICATION POLICY allow_pats_policy;
+ALTER USER some_service_user SET NETWORK_POLICY = allow_all_net_policy;
 
--- Create PATs for users
-ALTER USER some_service ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
-  ROLE_RESTRICTION = 'SOME_SERVICE_ROLE'  -- roles here must be referred to in uppercase
-  DAYS_TO_EXPIRY = 90
-  COMMENT = 'PAT for some_service';
+-- List PATs for users
+SHOW USER PROGRAMMATIC ACCESS TOKENS FOR USER some_service_user;
 
--- Reset password
+-- Generate PATs for users
+ALTER USER some_service_user ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
+  ROLE_RESTRICTION='SOME_SERVICE_ROLE'  -- Uppercase. Required for SERVICE users. Sets the role for the token.
+  DAYS_TO_EXPIRY=365                    -- 1 <= X <= 365. Cannot be modified later.
+  MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT=3  -- Optional
+  COMMENT='Some comment';
+
+-- Rotate PATs for users
+ALTER USER some_service_user ROTATE PROGRAMMATIC ACCESS TOKEN some_service_pat;
+
+-- Rename PATs for users
+ALTER USER some_service_user MODIFY PROGRAMMATIC ACCESS TOKEN some_service_pat
+  RENAME TO some_service_pat_new COMMENT = 'new name';
+
+-- Disable PATs for users
+ALTER USER some_service_user MODIFY PROGRAMMATIC ACCESS TOKEN some_service_pat SET DISABLED = TRUE;
+
+-- Delete PATs for users
+ALTER USER some_service_user REMOVE PROGRAMMATIC ACCESS TOKEN some_service_pat;
+
+-- Reset passwords
 ALTER USER IF EXISTS elijah RESET PASSWORD;
 
 -- Disable MFA