Account
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with the account:
- Manage the lifecycle of the current account
- Manage grants of the current account
Usage
- Classic Configuration
- Data Products Configuration
account:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>
- account:
<configuration-key>: <value>
grants:
<privilege>:
- rel(role.<role-name>)
- rel(role.<role-name>)
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Type and Values | Description |
|---|---|---|---|
allow_client_mfa_caching | Optional | Boolean | Specifies whether an MFA token can be saved |
allow_id_token | Optional | Boolean | Specifies whether a connection-token can be saved |
client_encryption_key_size | Optional | Integer | Specifies the AES encryption key size, in bits |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
enable_internal_stages_privatelink | Optional | Boolean | Specifies whether the SYSTEM$GET_PRIVATELINK_CONFIG function returns the private-internal-stages key in the query result |
environment | Optional | String | Specifies the environment in which the account is managed. Regex can be provided as well |
external_oauth_add_privileged_roles_to_blocked_list | Optional | Boolean | Determines whether the ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN roles can be used as the primary role to create a session |
grants | Optional | Map: See Supported Account Grants to Roles | Lists the Privileges and Roles to which privileges are granted on the current account |
initial_replication_size_limit_in_tb | Optional | Integer | Sets the maximum estimated size limit for the initial replication of a primary database to a secondary database (in TB) |
manage_mode | Optional | String: grants (default), all, none | Configures what properties to manage for the account |
min_data_retention_time_in_days | Optional | Integer | Minimum number of days for which historical data on an object retains |
network_policy | Optional | String: SOLE managed and preexisting non-managed network_policy names | Attaches a network policy to the current account |
periodic_data_rekeying | Optional | Boolean | Enables/Disables re-encryption of table data with new keys on a yearly basis |
prevent_unload_to_inline_url | Optional | Boolean | Specifies whether to prevent ad hoc data unload operations to external cloud storage locations |
require_storage_integration_for_stage_creation | Optional | Boolean | Specifies whether to require a storage integration object as cloud credentials when creating a named external stage |
require_storage_integration_for_stage_operation | Optional | Boolean | Specifies whether to require a named external stage when loading data from or unloading data |
sso_login_page | Optional | Boolean | Enables/Disables federated authentication |
Supported account grants to roles
Following are the privileges you can grant to roles in the account definition:
- ALL PRIVILEGES
- APPLY MASKING POLICY
- CREATE DATABASE
- CREATE INTEGRATION
- CREATE ROLE
- CREATE USER
- CREATE WAREHOUSE
- CREATE SHARE
- EXECUTE TASK
- IMPORT SHARE
- MANAGE GRANTS
- MONITOR EXECUTION
- MONITOR USAGE
ALL PRIVILEGES handling
When you define ALL PRIVILEGES in the SOLE configuration file, you grant all the privileges listed above to roles on this object. However, the management of ALL PRIVILEGES in SOLE differs from its handling in Snowflake. See Handling ALL PRIVILEGES in SOLE for more information.
Examples
- Classic Configuration
- Data Products Configuration
dataops/snowflake/account.yml
account:
network_policy: <network-policy-name>
ALLOW_CLIENT_MFA_CACHING: true
ALLOW_ID_TOKEN: true
manage_mode: all
grants:
create role:
- SYSADMIN
create user:
- ACCOUNTADMIN
dataops/snowflake/account.yml
- account:
network_policy: <network-policy-name>
manage_mode: all
grants:
create role:
- SYSADMIN
create user:
- ACCOUNTADMIN