Skip to main content

User

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with user:

  • Manage the lifecycle of new and existing users
  • Manage the grants of a user

Usage

- user:
name: <user-name>
<configuration-key>: <value>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
commentOptionalStringSpecifies a comment for the user
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
disabledOptionalBooleanSpecifies whether the user is disabled
default_namespaceOptionalString/Object: See here for a definition of default_namespaceSpecifies the namespace, database only or database and schema, that is active by default for the user's session upon login
default_roleOptionalStringSpecifies the role that is active by default for the user's session upon login
default_warehouseOptionalStringSpecifies the virtual warehouse that is active by default for the user's session upon login
display_nameOptionalStringName displayed for the user in the Snowflake web interface
emailOptionalStringEmail address for the user
environmentOptionalStringSpecifies the environment in which the user is managed. Regex can be provided as well.
first_nameOptionalStringFirst name of the user
last_nameOptionalStringLast name of the user
login_nameOptionalStringName that the user enters to log into the system. Login names for users must be unique across your entire account.
manage_modeOptionalString: all (default), noneConfigures what properties to manage for the user.
See Changing Manage Mode before changing the value.
must_change_passwordOptionalBooleanSpecifies whether the user is forced to change their password on the next login (including their first/initial login) into the system
namespacingOptionalString: both (default), none, prefix, suffixSpecifies whether prefix or suffix or both are to be added to user name
network_policyOptionalString: SOLE managed and preexisting non-managed network_policy namesAttaches a network policy to the user
passwordOptionalStringThe password for the user must be enclosed in single or double quotes. If no password is specified, the user cannot log into Snowflake until a password has been explicitly specified for them.
rsa_public_keyOptionalStringSpecifies the user's RSA public key, used for key-pair authentication
rsa_public_key_2OptionalStringSpecifies the user's second RSA public key, used to rotate the public and private keys for key-pair authentication based on an expiration schedule set by your organization
user_typeOptionalString: USER (default), LEGACY_SERVICE, SERVICESpecifies the user type in Snowflake

User Types

Snowflake now supports the concept of a user type. The type determines if the user can log in without using MFA, and with a password. Users can now specify the type of a user in SOLE using the user_type parameter.

- user:
name: DATAOPS_USER_1
user_type: USER
login_name: DATAOPS_USER_1

- user:
name: DATAOPS_USER_2
user_type: LEGACY_SERVICE
login_name: DATAOPS_USER_2

- user:
name: DATAOPS_USER_3
user_type: SERVICE
login_name: DATAOPS_USER_3

- user:
name: DATAOPS_USER_4
login_name: DATAOPS_USER_4 #user_type: USER is the default value

default_namespace parameter

You can specify the name of default_namespace if it belongs to the same schema and database as the user or the name of the schema and database.

This parameter supports the following parameters if explicitly provided:

Configuration KeyRequired/OptionalData Types and ValuesDescription
databaseOptionalStringName of the database
schemaOptionalStringName of the schema

Examples

default_namespace:
database: "<database-name>"
schema: "<schema-name>"

Examples

- user:
name: SAM
comment: "management"
login_name: "user_login"
password: "user_login"
disabled: false
display_name: "manager"
email: "user@example.com"
first_name: "user"
last_name: "login"
must_change_password: true
default_namespace:
schema: rel(schema.<schema-name>)
default_warehouse: rel(warehouse.<warehouse-name>)
default_role: "role"
rsa_public_key: "..."
rsa_public_key_2: "..."
network_policy: rel(network_policy.<network-policy-name>)