CREATE AUTHENTICATION POLICY | Snowflake Documentation (original) (raw)

Creates a new authentication policy in the current or specified schema or replaces an existing authentication policy. You can use authentication policies to define authentication controls and security requirements for accounts or users.

This command supports the following variants:

See also:

ALTER AUTHENTICATION POLICY, DESCRIBE AUTHENTICATION POLICY, DROP AUTHENTICATION POLICY, SHOW AUTHENTICATION POLICIES, CREATE OR ALTER

Syntax

CREATE [ OR REPLACE ] AUTHENTICATION POLICY [ IF NOT EXISTS ] [ AUTHENTICATION_METHODS = ( '' [ , '' , ... ] ) ] [ MFA_AUTHENTICATION_METHODS = ( '' [ , '' , ... ] ) ] [ MFA_ENROLLMENT = { REQUIRED | OPTIONAL } ] [ CLIENT_TYPES = ( '' [ , '' , ... ] ) ] [ SECURITY_INTEGRATIONS = ( '' [ , '' , ... ] ) ] [ PAT_POLICY = ( {list_of_properties} ) ] [ COMMENT = '' ]

Variant syntax

CREATE OR ALTER AUTHENTICATION POLICY

Creates a new authentication policy if it doesn’t already exist, or alters an existing authentication policy into the one defined in the statement. A CREATE OR ALTER AUTHENTICATION POLICY statement follows the syntax rules of a CREATE AUTHENTICATION POLICY statement and has the same limitations as anALTER AUTHENTICATION POLICY statement.

CREATE OR ALTER AUTHENTICATION POLICY [ AUTHENTICATION_METHODS = ( '' [ , '' , ... ] ) ] [ MFA_AUTHENTICATION_METHODS = ( '' [ , '' , ... ] ) ] [ MFA_ENROLLMENT = { REQUIRED | OPTIONAL } ] [ CLIENT_TYPES = ( '' [ , '' , ... ] ) ] [ SECURITY_INTEGRATIONS = ( '' [ , '' , ... ] ) ] [ PAT_POLICY = ( {list_of_properties} ) ] [ COMMENT = '' ]

Required parameters

_name_

Specifies the identifier for the authentication policy.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (for example, "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more information, see Identifier requirements.

Optional parameters

AUTHENTICATION_METHODS = ( '_stringliteral_' [ , '_stringliteral_' , ... ] )

Caution

Restricting by authentication method can have unintended consequences, such as blocking driver connections or third-party integrations.

A list of authentication methods that are allowed during login. This parameter accepts one or more of the following values:

ALL

Allow all authentication methods.

SAML

Allows SAML2 security integrations. If SAML is present, an SSO login option appears. If SAML is not present, an SSO login option does not appear.

PASSWORD

Allows users to authenticate using username and password.

OAUTH

Allows External OAuth.

KEYPAIR

Allows Key pair authentication.

PROGRAMMATIC_ACCESS_TOKEN

Allows users to authenticate with a programmatic access token.

Default: ALL.

MFA_AUTHENTICATION_METHODS = ( '_stringliteral_' [ , '_stringliteral_' , ... ] )

A list of authentication methods that enforce multi-factor authentication (MFA) during login. Authentication methods not listed in this parameter do not prompt for multi-factor authentication.

The following authentication methods support MFA:

This parameter accepts one or more of the following values:

SAML

Prompts users for MFA, if they are enrolled in MFA, when authenticating with SAML2 security integrations.

PASSWORD

Prompts users for MFA, if they are enrolled in MFA, when authenticating with a username and password.

Default: ('PASSWORD').

MFA_ENROLLMENT = { REQUIRED | OPTIONAL }

Determines whether a user must enroll in multi-factor authentication.

REQUIRED

Enforces users to enroll in MFA. If this value is used, then the CLIENT_TYPES parameter must includeSNOWFLAKE_UI, because Snowsight is the only place users canenroll in multi-factor authentication (MFA).

OPTIONAL

Users can choose whether to enroll in MFA.

Default: REQUIRED.

CLIENT_TYPES = ( '_stringliteral_' [ , '_stringliteral_' , ... ] )

A list of clients that can authenticate with Snowflake.

If a client tries to connect, and the client is not one of the valid CLIENT_TYPES values listed below, then the login attempt fails.

If you set MFA_ENROLLMENT to REQUIRED, then you must include SNOWFLAKE_UI in the CLIENT_TYPES list to allow users to enroll in MFA.

If you want to exclude SNOWFLAKE_UI from the CLIENT_TYPES list, then you must set MFA_ENROLLMENT toOPTIONAL.

The CLIENT_TYPES property of an authentication policy is a best effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary.

This parameter accepts one or more of the following values:

ALL

Allow all clients to authenticate.

SNOWFLAKE_UI

Snowsight or Classic Console, the Snowflake web interfaces.

Caution

If SNOWFLAKE_UI is not included in the CLIENT_TYPES list while MFA_ENROLLMENT is set to REQUIRED, or MFA_ENROLLMENT is unspecified, MFA enrollment doesn’t work.

DRIVERS

Drivers allow access to Snowflake from applications written insupported languages. For example, the Go,JDBC, .NET drivers, andSnowpipe Streaming.

Caution

If DRIVERS is not included in the CLIENT_TYPES list, automated ingestion may stop working.

SNOWFLAKE_CLI

A command-line client for connecting to Snowflake and for managing developer-centric workloads and SQL operations.

SNOWSQL

A command-line client for connecting to Snowflake.

Default: ALL.

SECURITY_INTEGRATIONS = ( '_stringliteral_' [ , '_stringliteral_' , ... ] )

A list of security integrations the authentication policy is associated with. This parameter has no effect when SAML orOAUTH are not in the AUTHENTICATION_METHODS list.

All values in the SECURITY_INTEGRATIONS list must be compatible with the values in the AUTHENTICATION_METHODS list. For example, if SECURITY_INTEGRATIONS contains a SAML security integration, and AUTHENTICATION_METHODS containsOAUTH, then you cannot create the authentication policy.

ALL

Allow all security integrations.

Default: ALL.

PAT_POLICY = ( _listofproperties_ )

Specifies the policies for programmatic access tokens. Set this to a space-delimited list of one or more of the following properties and values:

DEFAULT_EXPIRY_IN_DAYS = _numberofdays_

Specifies the default expiration time (in days) for a programmatic access token. You can specify a value from 1 to the maximum time (which you can specify by setting MAX_EXPIRY_IN_DAYS).

The default expiration time is 15 days.

For more information, see Setting the default expiration time.

MAX_EXPIRY_IN_DAYS = _numberofdays_

Specifies the maximum number of days that can be set for the expiration time for a programmatic access token. You can specify a value from 1 to 365.

The default maximum expiration time is 365 days.

Note

If there are existing programmatic access tokens with expiration times that exceed the new maximum expiration time, attempts to authenticate with those tokens will fail.

For example, suppose that you generate a programmatic access token named my_token with the expiration time of 7 days. If you later change the maximum expiration time for all tokens to 2 days, authenticating with my_token will fail because the expiration time of the token exceeds the new maximum expiration time.

For more information, see Setting the maximum expiration time.

NETWORK_POLICY_EVALUATION = { ENFORCED_REQUIRED | ENFORCED_NOT_REQUIRED | NOT_ENFORCED }

Specifies how network policy requirements are handled for programmatic access tokens.

By default, a user must be subject to a network policy with one or morenetwork rules to generate or use programmatic access tokens:

To override this behavior, set this property to one of the following values:

ENFORCED_REQUIRED (default behavior)

The user must be subject to a network policy to generate and use programmatic access tokens.

If the user is subject to a network policy, the network policy is enforced during authentication.

ENFORCED_NOT_REQUIRED

The user does not need to be subject to a network policy to generate and use programmatic access tokens.

If the user is subject to a network policy, the network policy is enforced during authentication.

NOT_ENFORCED

The user does not need to be subject to a network policy to generate and use programmatic access tokens.

If the user is subject to a network policy, the network policy is not enforced during authentication.

For example:

PAT_POLICY=( DEFAULT_EXPIRY_IN_DAYS=30 MAX_EXPIRY_IN_DAYS=365 NETWORK_POLICY_EVALUATION = ENFORCED_NOT_REQUIRED );

COMMENT = '_stringliteral_'

Specifies a description of the policy.

Access control requirements

A role used to execute this operation must have the followingprivileges at a minimum:

Privilege Object Notes
CREATE AUTHENTICATION POLICY Schema
OWNERSHIP Authentication Policy A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema. Required to execute a CREATE OR ALTER AUTHENTICATION POLICY statement for an existing authentication policy.

The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions onsecurable objects, see Overview of Access Control.

Usage notes

Example

Create an authentication policy named restrict_client_types_policy that only allows access through Snowsight or the Classic Console:

CREATE AUTHENTICATION POLICY restrict_client_types_policy CLIENT_TYPES = ('SNOWFLAKE_UI') COMMENT = 'Auth policy that only allows access through the web interface';

Set multi-factor authentication, update the list of clients, and unset the comment for restrict_client_types_policy:

CREATE OR ALTER AUTHENTICATION POLICY restrict_client_types_policy MFA_ENROLLMENT = REQUIRED MFA_AUTHENTICATION_METHODS = ('PASSWORD', 'SAML') CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWFLAKE_CLI');

For more examples, see Authentication policies.