Modifies the properties of an authentication policy.
CREATE AUTHENTICATION POLICY, DESCRIBE AUTHENTICATION POLICY, DROP AUTHENTICATION POLICY, SHOW AUTHENTICATION POLICIES
ALTER AUTHENTICATION POLICY <name> RENAME TO <new_name>
ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> SET
[ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ MFA_AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ MFA_ENROLLMENT = { REQUIRED | OPTIONAL } ]
[ MFA_POLICY= ( ALLOWED_METHODS = ( { 'ALL' | 'PASSKEY' | 'TOTP' | 'DUO' } [ , { 'PASSKEY' | 'TOTP' | 'DUO' } ... ] ) ) ]
[ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ PAT_POLICY = ( <list_of_properties> ) ]
[ WORKLOAD_IDENTITY_POLICY = ( <list_of_properties> ) ]
[ COMMENT = '<string_literal>' ]
ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> UNSET
[ CLIENT_TYPES ]
[ AUTHENTICATION_METHODS ]
[ SECURITY_INTEGRATIONS ]
[ MFA_AUTHENTICATION_METHODS ]
[ MFA_ENROLLMENT ]
[ MFA_POLICY ]
[ PAT_POLICY ]
[ WORKLOAD_IDENTITY_POLICY ]
[ COMMENT ]
Copy
Parameters¶name
Specifies the identifier for the authentication policy to alter.
If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.
For more information, see Identifier requirements.
RENAME TO ...
Specifies a new name for an existing authentication policy.
SET ...
Specifies one or more properties to set for the authentication policy, separated by blank spaces, commas, or new lines.
AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes the authentication methods that are allowed during login. This parameter accepts one or more of the following values:
Caution
Restricting by authentication method can have unintended consequences, such as blocking driver connections or third-party integrations.
ALL
Allow all authentication methods.
SAML
Allows SAML2 security integrations. If SAML is present, an SSO login option appears. If SAML is not present, an SSO login option does not appear.
PASSWORD
Allows users to authenticate using username and password.
OAUTH
Allows External OAuth.
KEYPAIR
Allows Key pair authentication.
PROGRAMMATIC_ACCESS_TOKEN
Allows users to authenticate with a programmatic access token.
WORKLOAD_IDENTITY
Allows users to authenticate through workload identity federation.
Default: ALL.
MFA_AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )
A list of authentication methods that enforce multi-factor authentication (MFA) during login. Authentication methods not listed in this parameter do not prompt for multi-factor authentication.
The following authentication methods support MFA:
SAML
PASSWORD
This parameter accepts one or more of the following values:
SAML
Prompts users for MFA, if they are enrolled in MFA, when authenticating with SAML2 security integrations.
PASSWORD
Prompts users for MFA, if they are enrolled in MFA, when authenticating with a username and password.
Default: ('PASSWORD', 'SAML').
MFA_ENROLLMENT = { REQUIRED | OPTIONAL }
Changes whether a user must enroll in multi-factor authentication.
REQUIRED
Enforces users to enroll in MFA. If this value is used, then the CLIENT_TYPES parameter must include SNOWFLAKE_UI, because Snowsight is the only place users can enroll in multi-factor authentication (MFA).
OPTIONAL
Users can choose whether to enroll in MFA.
Default: REQUIRED.
MFA_POLICY= ( ALLOWED_METHODS = ( { 'ALL' | 'PASSKEY' | 'TOTP' | 'DUO' } [ , { 'PASSKEY' | 'TOTP' | 'DUO' } ... ] ) )
Specifies the multi-factor authentication (MFA) methods that users can use as a second factor of authentication. You can specify more than one method.
ALL
Users can use a passkey, an authenticator app, or Duo as their second factor of authentication.
PASSKEY
Users can use a passkey as their second factor of authentication.
TOTP
Users can use an authenticator app as their second factor of authentication.
DUO
Users can use Duo as their second factor of authentication.
CLIENT_TYPES = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes which clients can authenticate with Snowflake.
If a client tries to connect, and the client is not one of the valid CLIENT_TYPES values listed below, then the login attempt fails.
If you set MFA_ENROLLMENT to REQUIRED, then you must include SNOWFLAKE_UI in the CLIENT_TYPES list to allow users to enroll in MFA.
If you want to exclude SNOWFLAKE_UI from the CLIENT_TYPES list, then you must set MFA_ENROLLMENT to OPTIONAL.
The CLIENT_TYPES property of an authentication policy is a best effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs..
This property accepts one or more of the following values:
ALL
Allow all clients to authenticate.
SNOWFLAKE_UI
Snowsight or Classic Console, the Snowflake web interfaces.
Caution
If SNOWFLAKE_UI is not included in the CLIENT_TYPES list while MFA_ENROLLMENT is set to REQUIRED, or MFA_ENROLLMENT is unspecified, MFA enrollment doesn’t work.
DRIVERS
Drivers allow access to Snowflake from applications written in supported languages. For example, the Go, JDBC, .NET drivers, and Snowpipe Streaming.
Caution
If DRIVERS is not included in the CLIENT_TYPES list, automated ingestion may stop working.
SNOWFLAKE_CLI
A command-line client for connecting to Snowflake and for managing developer-centric workloads and SQL operations.
SNOWSQL
A command-line client for connecting to Snowflake.
If a client tries to connect, and the client is not one of the valid CLIENT_TYPES, then the login attempt fails. If CLIENT_TYPES is unset, any client can connect.
Default: ALL.
SECURITY_INTEGRATIONS = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes the security integrations that the authentication policy is associated with. This parameter has no effect when SAML or OAUTH are not in the AUTHENTICATION_METHODS list.
All values in the SECURITY_INTEGRATIONS list must be compatible with the values in the AUTHENTICATION_METHODS list. For example, if SECURITY_INTEGRATIONS contains a SAML security integration, and AUTHENTICATION_METHODS contains OAUTH, then you cannot create the authentication policy.
ALL
Allow all security integrations.
Default: ALL.
PAT_POLICY = ( list_of_properties )
Specifies the policies for programmatic access tokens. Set this to a space-delimited list of one or more of the following properties and values:
DEFAULT_EXPIRY_IN_DAYS = number_of_days
Specifies the default expiration time (in days) for a programmatic access token. You can specify a value from 1 to the maximum expiration time (which you can specify by setting MAX_EXPIRY_IN_DAYS).
The default expiration time is 15 days.
For more information, see Setting the default expiration time.
MAX_EXPIRY_IN_DAYS = number_of_days
Specifies the maximum number of days that can be set for the expiration time for a programmatic access token. You can specify a value from the default expiration time (which you can specify by setting DEFAULT_EXPIRY_IN_DAYS) to 365.
The default maximum expiration time is 365 days.
Note
If there are existing programmatic access tokens with expiration times that exceed the new maximum expiration time, attempts to authenticate with those tokens will fail.
For example, suppose that you generate a programmatic access token named my_token with the expiration time of 7 days. If you later change the maximum expiration time for all tokens to 2 days, authenticating with my_token will fail because the expiration time of the token exceeds the new maximum expiration time.
For more information, see Setting the maximum expiration time.
NETWORK_POLICY_EVALUATION = { ENFORCED_REQUIRED | ENFORCED_NOT_REQUIRED | NOT_ENFORCED }
Specifies how network policy requirements are handled for programmatic access tokens.
By default, a user must be subject to a network policy with one or more network rules to generate or use programmatic access tokens:
Service users (with TYPE=SERVICE) must be subject to a network policy to generate and use programmatic access tokens.
Human users (with TYPE=PERSON) must be subject to a network policy to use programmatic access tokens.
To override this behavior, set this property to one of the following values:
ENFORCED_REQUIRED (default behavior)
The user must be subject to a network policy to generate and use programmatic access tokens.
If the user is subject to a network policy, the network policy is enforced during authentication.
ENFORCED_NOT_REQUIRED
The user does not need to be subject to a network policy to generate and use programmatic access tokens.
If the user is subject to a network policy, the network policy is enforced during authentication.
NOT_ENFORCED
The user does not need to be subject to a network policy to generate and use programmatic access tokens.
If the user is subject to a network policy, the network policy is not enforced during authentication.
For example:
PAT_POLICY=( DEFAULT_EXPIRY_IN_DAYS=30 MAX_EXPIRY_IN_DAYS=365 NETWORK_POLICY_EVALUATION = ENFORCED_NOT_REQUIRED );
Copy
WORKLOAD_IDENTITY_POLICY = ( list_of_properties )
Specifies the policies for workload identity federation. Set this to a space-delimited list that contains one or more of the following properties and values:
ALLOWED_PROVIDERS = ( { ALL | AWS | AZURE | GCP | OIDC } [ , { AWS | AZURE | GCP | OIDC } ... ] )
Specifies the workload identity providers allowed by the authentication policy during workload identity authentication. If this parameter is omitted, all workload identity providers are allowed.
ALL
Users can authenticate with any supported and configured workload identity provider.
AWS
Users can authenticate with an AWS IAM role or user.
AZURE
Users can authenticate with an Azure Entra ID access token.
GCP
Users can authenticate with a Google-signed ID token.
OIDC
Users can authenticate with an ID token from a configured OIDC provider.
ALLOWED_AWS_ACCOUNTS = ( 'string_literal' [ , 'string_literal' , ... ] )
Specifies the list of AWS account IDs allowed by the authentication policy during workload identity authentication of type AWS.
By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type AWS, then the ARN can reference any AWS account. If this parameter is set, then only ARNs from the specified AWS account IDs are allowed to authenticate.
Each element must be a 12-digit string representing the AWS account ID.
For more information, see View AWS account identifiers.
ALLOWED_AZURE_ISSUERS = ( 'string_literal' [ , 'string_literal' , ... ] )
Specifies the list of Azure Entra ID issuers allowed by the authentication policy during workload identity authentication of type AZURE.
By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type AZURE, then the issuer can be any Entra ID tenant. If this parameter is set, then only Azure tokens from the specified issuers are allowed to authenticate.
Each element must be a valid Authority URL with following format:
https://login.microsoftonline.com/tenantId/v2.0
ALLOWED_OIDC_ISSUERS = ( 'string_literal' [ , 'string_literal' , ... ] )
Specifies the list of OIDC issuers allowed by the authentication policy during workload identity authentication of type OIDC.
By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type OIDC, then the issuer can be any valid OIDC issuer. If this parameter is set, then only tokens from the specified OIDC issuers are allowed to authenticate.
Each element must be a valid HTTPS URL that contains scheme, host, and optionally, port number and path components but no query or fragment components. The URL must not contain spaces, and it must not exceed 2048 characters in length.
For example:
WORKLOAD_IDENTITY_POLICY=(
ALLOWED_PROVIDERS = (AWS, AZURE, GCP, OIDC)
ALLOWED_AWS_ACCOUNTS = ('123456789012', '210987654321')
ALLOWED_AZURE_ISSUERS = ('https://login.microsoftonline.com/8c7832f5-de56-4d9f-ba94-3b2c361abe6b/v2.0',
'https://login.microsoftonline.com/9ebd1ec9-9a78-4429-8f53-5cf870a812d1/v2.0')
ALLOWED_OIDC_ISSUERS = ('https://my.custom.oidc.issuer/', 'https://another.custom/oidc/issuer')
);
Copy
COMMENT = 'string_literal'
Changes the comment for the authentication policy.
UNSET ...
Specifies the properties to unset for the authentication policy, which resets them to their defaults.
A role used to execute this operation must have the following privileges at a minimum:
Privilege
Object
Notes
OWNERSHIP
Authentication policy
Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.
The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶If you want to update an existing authentication policy and need to see the definition of the policy, run the DESCRIBE AUTHENTICATION POLICY command or GET_DDL function.
Alter the list of allowed clients on an authentication policy:
ALTER AUTHENTICATION POLICY restrict_client_types_policy SET CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL');
Copy
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4