brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b59fd51640cc17f8d39f40aab34ab5d8fa0b1bc4
oam/snippets/snowflake.sql
Michele Cereda 4c66f66ad4 feat(snowflake): access with pats
2025-07-28 17:26:09 +02:00

126 lines
3.6 KiB
SQL
Raw Blame History

-- List authentication policies
SHOW AUTHENTICATION POLICIES;
-- Create authentication policies
CREATE AUTHENTICATION POLICY allow_pats_policy AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN');
-- List network policies
SHOW NETWORK POLICIES;
-- Create network policies
CREATE NETWORK POLICY IF NOT EXISTS allow_all_net_policy ALLOWED_IP_LIST = ('0.0.0.0/0');
-- List warehouses
SHOW WAREHOUSES;
-- Delete warehouses
DROP WAREHOUSE IF EXISTS tuts_wh;
-- List databases
SHOW DATABASES;
-- Delete databases
DROP DATABASE IF EXISTS sf_tuts;
-- List roles
SHOW ROLES;
SHOW ROLES LIKE '%DATA%';
-- Create roles
CREATE ROLE IF NOT EXISTS some_service_role;
-- Grant permissions to roles
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO ROLE SYSADMIN;
GRANT USAGE ON DATABASE dev_dwh TO ROLE some_service_role;
GRANT USAGE ON SCHEMA dev_dwh.public TO ROLE some_service_role;
GRANT SELECT ON ALL TABLES IN SCHEMA dev_dwh.public TO ROLE some_service_role;
-- Assume roles
USE ROLE ACCOUNTADMIN;
USE ROLE USERADMIN;
-- List users
SHOW USERS;
SHOW USERS LIKE 'BILLY';
SHOW USERS LIKE '%john%';
-- Get information about users
DESC USER zoe;
-- Create users
CREATE USER alice;
CREATE USER IF NOT EXISTS bob;
CREATE OR REPLACE USER claude
LOGIN_NAME='CLAUDE@EXAMPLE.ORG' DISPLAY_NAME='Claude' EMAIL='claude@example.org'
PASSWORD='somePassword' MUST_CHANGE_PASSWORD=TRUE;
-- Create service users
-- Default resources do *not* need to exist beforehand, but *will* be used on login
CREATE USER IF NOT EXISTS some_service TYPE = SERVICE
DEFAULT_ROLE = some_service_role DEFAULT_WAREHOUSE = dev_wh DEFAULT_NAMESPACE = dev_db.dev_schema;
-- Change user attributes
ALTER USER bob SET DEFAULT_WAREHOUSE = NULL;
-- Show permissions users have
SHOW GRANTS TO USER CLAUDE;
-- Show permissions the current user has on other users
SHOW GRANTS ON USER CLAUDE;
-- Grant permissions to users
GRANT ROLE some_service_role TO USER some_service;
GRANT USAGE ON WAREHOUSE COMPUTE_WH TO USER mike;
-- Assign policies to users
ALTER USER some_service SET AUTHENTICATION POLICY allow_pats_policy;
ALTER USER some_service SET NETWORK_POLICY = allow_all_net_policy;
-- Create PATs for users
ALTER USER some_service ADD PROGRAMMATIC ACCESS TOKEN some_service_pat
ROLE_RESTRICTION = 'SOME_SERVICE_ROLE' -- roles here must be referred to in uppercase
DAYS_TO_EXPIRY = 90
COMMENT = 'PAT for some_service';
-- Reset password
ALTER USER IF EXISTS elijah RESET PASSWORD;
-- Disable MFA
ALTER USER fred SET DISABLE_MFA=TRUE;
-- Unlock users
ALTER USER greg SET MINS_TO_UNLOCK=0;
-- Delete users
DROP USER snowman;
-- -----------------
-- programmatic access token setup
-- -----------------
-- 1. create policies
USE ROLE ACCOUNTADMIN;
CREATE AUTHENTICATION POLICY allow_pats_auth_policy AUTHENTICATION_METHODS=('PROGRAMMATIC_ACCESS_TOKEN');
CREATE NETWORK POLICY IF NOT EXISTS allow_all_net_policy ALLOWED_IP_LIST=('0.0.0.0/0');
-- 2. create service user and role
USE ROLE USERADMIN;
CREATE USER IF NOT EXISTS data_service_user TYPE=SERVICE DEFAULT_ROLE=data_service_role;
CREATE ROLE IF NOT EXISTS data_service_role;
GRANT USAGE ON DATABASE data_db TO ROLE data_service_role;
GRANT USAGE ON SCHEMA data_db.data_schema TO ROLE data_service_role;
GRANT SELECT ON ALL TABLES IN SCHEMA data_db.data_schema TO ROLE data_service_role;
GRANT ROLE data_service_role TO USER data_service_user;
-- 3. grant policies
ALTER USER data_service_user SET AUTHENTICATION POLICY allow_pats_auth_policy;
ALTER USER data_service_user SET NETWORK_POLICY=allow_all_net_policy;
-- 4. create pat
ALTER USER data_service_user ADD PROGRAMMATIC ACCESS TOKEN data_service_pat
ROLE_RESTRICTION='DATA_SERVICE_ROLE' DAYS_TO_EXPIRY=90 COMMENT='Test PAT';
Reference in New Issue View Git Blame Copy Permalink