brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(snowflake): improve commands examples and readability

Browse Source
This commit is contained in:
Michele Cereda
2025-07-30 18:06:46 +02:00
parent 4e248489a6
commit a023236739
2 changed files with 48 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
knowledge base/snowflake/README.md
View File

@@ -153,7 +153,8 @@ CREATE USER IF NOT EXISTS data_service TYPE='SERVICE'
-- Change user attributes
ALTER USER bob SET DEFAULT_WAREHOUSE = NULL;
ALTER USER my_service_user SET TYPE = SERVICE; ALTER USER my_service_user UNSET PASSWORD;
ALTER USER some_service_user SET TYPE = SERVICE;
ALTER USER some_service_user UNSET PASSWORD;
-- Show permissions users have
SHOW GRANTS TO USER CLAUDE;
@@ -161,22 +162,26 @@ SHOW GRANTS TO USER CLAUDE;
SHOW GRANTS ON USER CLAUDE;
-- Grant permissions to users
GRANT ROLE some_service_role TO USER some_service;
GRANT ROLE some_service_role TO USER some_service_user;
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO USER mike;
-- Assign policies to users
ALTER USER some_service SET AUTHENTICATION POLICY allow_pats_policy;
ALTER USER some_service SET NETWORK_POLICY = allow_all_net_policy;
ALTER USER some_service_user SET AUTHENTICATION POLICY allow_pats_policy;
ALTER USER some_service_user SET NETWORK_POLICY = allow_all_net_policy;
-- List PATs for users
SHOW USER PROGRAMMATIC ACCESS TOKENS FOR USER some_service_user;
-- Generate PATs for users
-- 'ROLE_RESTRICTION' required for SERVICE users. Sets the role for the token. Must be uppercase.
-- 'DAYS_TO_EXPIRY' must be between 1 and 365. Cannot be modified later.
-- 'MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT' and 'COMMENT' are optional.
ALTER USER nora ADD PROGRAMMATIC ACCESS TOKEN act_as_nora DAYS_TO_EXPIRY=15;
ALTER USER some_service_user ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
ROLE_RESTRICTION='SOME_SERVICE_ROLE' -- Uppercase. Required for SERVICE users. Sets the role for the token.
DAYS_TO_EXPIRY=365 -- 1 <= X <= 365. Cannot be modified later.
MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT=3 -- Optional
COMMENT='Some comment';
ROLE_RESTRICTION='SOME_SERVICE_ROLE'
DAYS_TO_EXPIRY=365
MINS_TO_BYPASS_NETWORK_POLICY_REQUIREMENT=3
COMMENT='Some optional comment';
-- Rotate PATs for users
ALTER USER some_service_user ROTATE PROGRAMMATIC ACCESS TOKEN some_service_pat;
@@ -200,6 +205,9 @@ ALTER USER fred SET DISABLE_MFA=TRUE;
-- Unlock users
ALTER USER greg SET MINS_TO_UNLOCK=0;
-- Disable users
ALTER USER heather SET DISABLED=TRUE;
-- Delete users
DROP USER snowman;
```
@@ -284,7 +292,7 @@ SHOW GRANTS ON USER CLAUDE;
Users can only be created by those with (or):
- The `USERADMIN` role or higher.
- Roles granting them the CREATE USER capability on the account.
- Roles granting them the `CREATE USER` capability on the account.
Add users to the account executing a SQL Query by means of Snowflake's web UI found in the `Account` section.
@@ -424,6 +432,9 @@ One can generate programmatic access tokens for _human_ users (whose `TYPE` is `
PATs can be valid for up to 365 days. This is a security requirement on Snowflake's side.
Each token is restricted to a single role.<br/>
Users that can assume multiple roles need to have a token **per each role** they want to use that way.
Tokens are _immutable_. Role restriction and expiry date **cannot** be changed later, requiring to rotate or recreate
the PAT instead.
@@ -520,7 +531,7 @@ Procedure:
</details>
1. \[semi-optionally] Assign it an authentication policy that allows using PATs.
1. \[semi-optional] Assign it an authentication policy that allows using PATs.
> [!important]
> If no other policy limits a user's authentication methods (e.g., the user has assigned **no** authentication
@@ -626,10 +637,16 @@ WARNING! Using --password via the CLI is insecure. Use environment variables ins
## Snowflake CLI
CLI tool for Snowflake.<br/>
Meant to replace the SnowSQL tool.
See [Snowflake CLI].
## RoleOut
Project trying to accelerate the design and deployment of Snowflake environments through Infrastructure as Code.<br/>
Useful to view and configure the permissions matrix in a graphical way.
Refer [RoleOut].
## Further readings

45
knowledge base/snowflake/cli.md
View File

@@ -6,7 +6,6 @@ Meant to replace the SnowSQL tool.
1. [TL;DR](#tldr)
1. [Setup](#setup)
1. [Usage](#usage)
1. [Further readings](#further-readings)
## TL;DR
@@ -24,6 +23,10 @@ curl --continue-at '-' --location --fail --show-error --remote-name \
curl --continue-at '-' --location --fail --show-error --remote-name \
--url 'https://sfc-repo.snowflakecomputing.com/snowflake-cli/linux_aarch64/3.7.2/snowflake-cli-3.7.2.aarch64.rpm' \
&& sudo rpm -i 'snowflake-cli-3.7.2.rpm'
# Configure for the session via environment variables
export SNOWFLAKE_ACCOUNT='ABCDEFG-YZ01234' SNOWFLAKE_USER='JDOE' SNOWFLAKE_PASSWORD='SuperSecur3Pa$$word'
export SNOWFLAKE_CLI_LOGS_PATH='/Users/jondoe/snowcli_logs' SNOWFLAKE_DEFAULT_CONNECTION_NAME='myconnection'
```
</details>
@@ -44,10 +47,17 @@ snow connection list
# Add connections.
snow connection add
snow --config-file 'my_config.toml' connection add \
-n 'myconnection2' --account 'myaccount2' --user 'jdoe2' --no-interactive
# Test connections.
snow connection test
snow connection test -c 'connection-name'
snow connection test --temporary-connection --account 'account-id' --username 'login-name' --password 'password-or-pat'
snow --config-file='my_config.toml' connection test -c 'myconnection2' --enable-diag --diag-log-path "$HOME/report"
# Set the default connection
snow connection set-default 'myconnection2'
# Executes Snowflake queries.
snow sql
@@ -55,15 +65,17 @@ snow sql
</details>
<!-- Uncomment if used
<details>
<summary>Real world use cases</summary>
```sh
# Test credentials
snow connection test --temporary-connection --account 'ABCDEFG-YZ01234' --username 'JDOE' --password '<PAT>'
SNOWFLAKE_ACCOUNT='ABCDEFG-YZ01234' SNOWFLAKE_USER='JDOE' SNOWFLAKE_PASSWORD='SuperSecur3Pa$$word' snow \
connection test --temporary-connection
```
</details>
-->
## Setup
@@ -161,33 +173,18 @@ Use the format `SNOWFLAKE_<config-section>_<variable>=<value>`, where:
SNOWFLAKE_CLI_LOGS_PATH='/Users/jondoe/snowcli_logs' snow …
# Set the password for the 'myconnection' connection
SNOWFLAKE_CONNECTIONS_MYCONNECTION_PASSWORD='SomePassword'
SNOWFLAKE_CONNECTIONS_MYCONNECTION_PASSWORD='SomePassword' snow …
# Set the default connection name
SNOWFLAKE_DEFAULT_CONNECTION_NAME='myconnection'
SNOWFLAKE_DEFAULT_CONNECTION_NAME='myconnection' snow …
# Test credentials
SNOWFLAKE_ACCOUNT='ABCDEFG-YZ01234' SNOWFLAKE_USER='JDOE' SNOWFLAKE_PASSWORD='SuperSecur3Pa$$word' \
snow connection test --temporary-connection
```
</details>
## Usage
```sh
# Add connections
snow connection add
snow --config-file 'my_config.toml' connection add \
-n 'myconnection2' --account 'myaccount2' --user 'jdoe2' --no-interactive
# List connections
snow connection list
# Test connections
snow connection test
snow --config-file='my_config.toml' connection test -c 'myconnection2' --enable-diag --diag-log-path "$HOME/report"
# Set the default connection
snow connection set-default 'myconnection2'
```
## Further readings
- [Snowflake]