Skip to main content

Account

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with the account:

  • Manage the lifecycle of the current account
  • Manage grants of the current account

Usage

account:
<configuration-key>: <value>
grants:
<privilege>:
- <role-name>
- <role-name>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Type and ValuesDescription
allow_client_mfa_cachingOptionalBooleanSpecifies whether an MFA token can be saved
allow_id_tokenOptionalBooleanSpecifies whether a connection-token can be saved
client_encryption_key_sizeOptionalIntegerSpecifies the AES encryption key size, in bits
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
enable_internal_stages_privatelinkOptionalBooleanSpecifies whether the SYSTEM$GET_PRIVATELINK_CONFIG function returns the private-internal-stages key in the query result
environmentOptionalStringSpecifies the environment in which the account is managed. Regex can be provided as well
external_oauth_add_privileged_roles_to_blocked_listOptionalBooleanDetermines whether the ACCOUNTADMIN, ORGADMIN, and SECURITYADMIN roles can be used as the primary role to create a session
grantsOptionalMap: See Supported Account Grants to RolesLists the Privileges and Roles to which privileges are granted on the current account
initial_replication_size_limit_in_tbOptionalIntegerSets the maximum estimated size limit for the initial replication of a primary database to a secondary database (in TB)
manage_modeOptionalString: grants (default), all, noneConfigures what properties to manage for the account
min_data_retention_time_in_daysOptionalIntegerMinimum number of days for which historical data on an object retains
network_policyOptionalString: SOLE managed and preexisting non-managed network_policy namesAttaches a network policy to the current account
periodic_data_rekeyingOptionalBooleanEnables/Disables re-encryption of table data with new keys on a yearly basis
prevent_unload_to_inline_urlOptionalBooleanSpecifies whether to prevent ad hoc data unload operations to external cloud storage locations
require_storage_integration_for_stage_creationOptionalBooleanSpecifies whether to require a storage integration object as cloud credentials when creating a named external stage
require_storage_integration_for_stage_operationOptionalBooleanSpecifies whether to require a named external stage when loading data from or unloading data
sso_login_pageOptionalBooleanEnables/Disables federated authentication

Supported account grants to roles

Following are the privileges you can grant to roles in the account definition:

  • ALL PRIVILEGES
  • APPLY MASKING POLICY
  • CREATE DATABASE
  • CREATE INTEGRATION
  • CREATE ROLE
  • CREATE USER
  • CREATE WAREHOUSE
  • CREATE SHARE
  • EXECUTE TASK
  • IMPORT SHARE
  • MANAGE GRANTS
  • MONITOR EXECUTION
  • MONITOR USAGE
ALL PRIVILEGES handling

When you define ALL PRIVILEGES in the SOLE configuration file, you grant all the privileges listed above to roles on this object. However, the management of ALL PRIVILEGES in SOLE differs from its handling in Snowflake. See Handling ALL PRIVILEGES in SOLE for more information.

Examples

dataops/snowflake/account.yml
account:
network_policy: <network-policy-name>
ALLOW_CLIENT_MFA_CACHING: true
ALLOW_ID_TOKEN: true
manage_mode: all
grants:
create role:
- SYSADMIN
create user:
- ACCOUNTADMIN