users
Creates, updates, deletes, gets or lists a users resource.
Overview
| Name | users |
| Type | Resource |
| Id | snowflake.user.users |
Fields
The following fields are returned by SELECT queries:
- list_users
- fetch_user
Properties of user.
| Name | Datatype | Description |
|---|---|---|
name | string | User name (example: jackpatel) |
display_name | string | Display name |
first_name | string | First name |
last_name | string | Last name |
login_name | string | Login name |
middle_name | string | Middle name |
comment | string | Comment about the user. (example: A distinguished user) |
created_on | string (date-time) | |
custom_landing_page_url | string | |
custom_landing_page_url_flush_next_ui_load | boolean | Whether or not to flush the custom landing page of the user on next UI load |
days_to_expiry | integer | How many days until this user expires |
default_namespace | string | The default namespace to use when this user starts a session |
default_role | string | The default role to use when this user starts a session |
default_secondary_roles | string | The default secondary roles of this user to use when starting a session. Only valid set values are ALL or NONE. Default is ALL after 2024-07 BCR. (default: ALL) |
default_warehouse | string | The default warehouse to use when this user starts a session |
disabled | boolean | Has this user been disabled from the system |
email | string | Email address |
enable_unredacted_query_syntax_error | boolean | Whether to show unredacted query syntax errors in the query history. |
expires_at | string (date-time) | |
ext_authn_duo | boolean | |
ext_authn_uid | string | |
has_password | boolean | |
has_rsa_public_key | boolean | |
last_successful_login | string (date-time) | |
locked_until | string (date-time) | |
mins_to_bypass_mfa | integer | How many minutes until MFA is required again |
mins_to_bypass_network_policy | integer | Temporary bypass network policy on the user for a specified number of minutes |
mins_to_unlock | integer | How many minutes until the account is unlocked after multiple failed logins |
must_change_password | boolean | Does this user need to change their password (e.g., after assigning a temp password) |
network_policy | string | Specifies an existing network policy is active for the user. Otherwise, use account default. |
owner | string | |
password | string (password) | Password |
password_last_set | string (date-time) | |
rsa_public_key | string | RSA public key of the user |
rsa_public_key_2 | string | Second RSA public key of the user |
rsa_public_key_2_fp | string | Fingerprint of the user's second RSA public key |
rsa_public_key_fp | string | Fingerprint of the user's RSA public key |
snowflake_lock | boolean | Whether the user, account, or organization is locked by Snowflake. |
snowflake_support | boolean | Whether Snowflake Support is allowed to use the user or account |
type | string | Indicates the type of user (PERSON | SERVICE | LEGACY_SERVICE) |
Properties of user.
| Name | Datatype | Description |
|---|---|---|
name | string | User name (example: jackpatel) |
display_name | string | Display name |
first_name | string | First name |
last_name | string | Last name |
login_name | string | Login name |
middle_name | string | Middle name |
comment | string | Comment about the user. (example: A distinguished user) |
created_on | string (date-time) | |
custom_landing_page_url | string | |
custom_landing_page_url_flush_next_ui_load | boolean | Whether or not to flush the custom landing page of the user on next UI load |
days_to_expiry | integer | How many days until this user expires |
default_namespace | string | The default namespace to use when this user starts a session |
default_role | string | The default role to use when this user starts a session |
default_secondary_roles | string | The default secondary roles of this user to use when starting a session. Only valid set values are ALL or NONE. Default is ALL after 2024-07 BCR. (default: ALL) |
default_warehouse | string | The default warehouse to use when this user starts a session |
disabled | boolean | Has this user been disabled from the system |
email | string | Email address |
enable_unredacted_query_syntax_error | boolean | Whether to show unredacted query syntax errors in the query history. |
expires_at | string (date-time) | |
ext_authn_duo | boolean | |
ext_authn_uid | string | |
has_password | boolean | |
has_rsa_public_key | boolean | |
last_successful_login | string (date-time) | |
locked_until | string (date-time) | |
mins_to_bypass_mfa | integer | How many minutes until MFA is required again |
mins_to_bypass_network_policy | integer | Temporary bypass network policy on the user for a specified number of minutes |
mins_to_unlock | integer | How many minutes until the account is unlocked after multiple failed logins |
must_change_password | boolean | Does this user need to change their password (e.g., after assigning a temp password) |
network_policy | string | Specifies an existing network policy is active for the user. Otherwise, use account default. |
owner | string | |
password | string (password) | Password |
password_last_set | string (date-time) | |
rsa_public_key | string | RSA public key of the user |
rsa_public_key_2 | string | Second RSA public key of the user |
rsa_public_key_2_fp | string | Fingerprint of the user's second RSA public key |
rsa_public_key_fp | string | Fingerprint of the user's RSA public key |
snowflake_lock | boolean | Whether the user, account, or organization is locked by Snowflake. |
snowflake_support | boolean | Whether Snowflake Support is allowed to use the user or account |
type | string | Indicates the type of user (PERSON | SERVICE | LEGACY_SERVICE) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_users | select | endpoint | like, startsWith, showLimit, fromName | Lists the users in the system. |
fetch_user | select | name, endpoint | Fetch user information using the result of the DESCRIBE command | |
create_user | insert | endpoint | createMode | Create a user according to the parameters given |
create_or_alter_user | replace | name, endpoint | Create a (or alter an existing) user. Even if the operation is just an alter, the full property set must be provided. Note that password is not currently altered by this operation but is supported for a newly-created object. | |
delete_user | delete | name, endpoint | ifExists | Delete a user with the given name. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
endpoint | string | Organization and Account Name (default: orgid-acctid) |
name | string | Identifier (i.e. name) for the resource. |
createMode | string | Query parameter allowing support for different modes of resource creation. Possible values include: - errorIfExists: Throws an error if you try to create a resource that already exists. - orReplace: Automatically replaces the existing resource with the current one. - ifNotExists: Creates a new resource when an alter is requested for a non-existent resource. |
fromName | string | Query parameter to enable fetching rows only following the first row whose object name matches the specified string. Case-sensitive and does not have to be the full name. |
ifExists | boolean | Query parameter that specifies how to handle the request for a resource that does not exist: - true: The endpoint does not throw an error if the resource does not exist. It returns a 200 success response, but does not take any action on the resource. - false: The endpoint throws an error if the resource doesn't exist. |
like | string | Query parameter to filter the command output by resource name. Uses case-insensitive pattern matching, with support for SQL wildcard characters. |
showLimit | integer | Query parameter to limit the maximum number of rows returned by a command. |
startsWith | string | Query parameter to filter the command output based on the string of characters that appear at the beginning of the object name. Uses case-sensitive pattern matching. |
SELECT examples
- list_users
- fetch_user
Lists the users in the system.
SELECT
name,
display_name,
first_name,
last_name,
login_name,
middle_name,
comment,
created_on,
custom_landing_page_url,
custom_landing_page_url_flush_next_ui_load,
days_to_expiry,
default_namespace,
default_role,
default_secondary_roles,
default_warehouse,
disabled,
email,
enable_unredacted_query_syntax_error,
expires_at,
ext_authn_duo,
ext_authn_uid,
has_password,
has_rsa_public_key,
last_successful_login,
locked_until,
mins_to_bypass_mfa,
mins_to_bypass_network_policy,
mins_to_unlock,
must_change_password,
network_policy,
owner,
password,
password_last_set,
rsa_public_key,
rsa_public_key_2,
rsa_public_key_2_fp,
rsa_public_key_fp,
snowflake_lock,
snowflake_support,
type
FROM snowflake.user.users
WHERE endpoint = '{{ endpoint }}' -- required
AND like = '{{ like }}'
AND startsWith = '{{ startsWith }}'
AND showLimit = '{{ showLimit }}'
AND fromName = '{{ fromName }}';
Fetch user information using the result of the DESCRIBE command
SELECT
name,
display_name,
first_name,
last_name,
login_name,
middle_name,
comment,
created_on,
custom_landing_page_url,
custom_landing_page_url_flush_next_ui_load,
days_to_expiry,
default_namespace,
default_role,
default_secondary_roles,
default_warehouse,
disabled,
email,
enable_unredacted_query_syntax_error,
expires_at,
ext_authn_duo,
ext_authn_uid,
has_password,
has_rsa_public_key,
last_successful_login,
locked_until,
mins_to_bypass_mfa,
mins_to_bypass_network_policy,
mins_to_unlock,
must_change_password,
network_policy,
owner,
password,
password_last_set,
rsa_public_key,
rsa_public_key_2,
rsa_public_key_2_fp,
rsa_public_key_fp,
snowflake_lock,
snowflake_support,
type
FROM snowflake.user.users
WHERE name = '{{ name }}' -- required
AND endpoint = '{{ endpoint }}' -- required;
INSERT examples
- create_user
- Manifest
Create a user according to the parameters given
INSERT INTO snowflake.user.users (
data__name,
data__password,
data__login_name,
data__display_name,
data__first_name,
data__middle_name,
data__last_name,
data__email,
data__must_change_password,
data__disabled,
data__days_to_expiry,
data__mins_to_unlock,
data__default_warehouse,
data__default_namespace,
data__default_role,
data__default_secondary_roles,
data__mins_to_bypass_mfa,
data__rsa_public_key,
data__rsa_public_key_2,
data__comment,
data__type,
data__enable_unredacted_query_syntax_error,
data__network_policy,
endpoint,
createMode
)
SELECT
'{{ name }}' --required,
'{{ password }}',
'{{ login_name }}',
'{{ display_name }}',
'{{ first_name }}',
'{{ middle_name }}',
'{{ last_name }}',
'{{ email }}',
{{ must_change_password }},
{{ disabled }},
{{ days_to_expiry }},
{{ mins_to_unlock }},
'{{ default_warehouse }}',
'{{ default_namespace }}',
'{{ default_role }}',
'{{ default_secondary_roles }}',
{{ mins_to_bypass_mfa }},
'{{ rsa_public_key }}',
'{{ rsa_public_key_2 }}',
'{{ comment }}',
'{{ type }}',
{{ enable_unredacted_query_syntax_error }},
'{{ network_policy }}',
'{{ endpoint }}',
'{{ createMode }}'
;
# Description fields are for documentation purposes
- name: users
props:
- name: endpoint
value: string
description: Required parameter for the users resource.
- name: name
value: string
description: >
User name
- name: password
value: string
description: >
Password
- name: login_name
value: string
description: >
Login name
- name: display_name
value: string
description: >
Display name
- name: first_name
value: string
description: >
First name
- name: middle_name
value: string
description: >
Middle name
- name: last_name
value: string
description: >
Last name
- name: email
value: string
description: >
Email address
- name: must_change_password
value: boolean
description: >
Does this user need to change their password (e.g., after assigning a temp password)
- name: disabled
value: boolean
description: >
Has this user been disabled from the system
- name: days_to_expiry
value: integer
description: >
How many days until this user expires
- name: mins_to_unlock
value: integer
description: >
How many minutes until the account is unlocked after multiple failed logins
- name: default_warehouse
value: string
description: >
The default warehouse to use when this user starts a session
- name: default_namespace
value: string
description: >
The default namespace to use when this user starts a session
- name: default_role
value: string
description: >
The default role to use when this user starts a session
- name: default_secondary_roles
value: string
description: >
The default secondary roles of this user to use when starting a session. Only valid set values are ALL or NONE. Default is ALL after 2024-07 BCR.
valid_values: ['ALL', 'NONE']
default: ALL
- name: mins_to_bypass_mfa
value: integer
description: >
How many minutes until MFA is required again
- name: rsa_public_key
value: string
description: >
RSA public key of the user
- name: rsa_public_key_2
value: string
description: >
Second RSA public key of the user
- name: comment
value: string
description: >
Comment about the user.
- name: type
value: string
description: >
Indicates the type of user (PERSON | SERVICE | LEGACY_SERVICE)
- name: enable_unredacted_query_syntax_error
value: boolean
description: >
Whether to show unredacted query syntax errors in the query history.
- name: network_policy
value: string
description: >
Specifies an existing network policy is active for the user. Otherwise, use account default.
- name: createMode
value: string
description: Query parameter allowing support for different modes of resource creation. Possible values include: - `errorIfExists`: Throws an error if you try to create a resource that already exists. - `orReplace`: Automatically replaces the existing resource with the current one. - `ifNotExists`: Creates a new resource when an alter is requested for a non-existent resource.
REPLACE examples
- create_or_alter_user
Create a (or alter an existing) user. Even if the operation is just an alter, the full property set must be provided. Note that password is not currently altered by this operation but is supported for a newly-created object.
REPLACE snowflake.user.users
SET
data__name = '{{ name }}',
data__password = '{{ password }}',
data__login_name = '{{ login_name }}',
data__display_name = '{{ display_name }}',
data__first_name = '{{ first_name }}',
data__middle_name = '{{ middle_name }}',
data__last_name = '{{ last_name }}',
data__email = '{{ email }}',
data__must_change_password = {{ must_change_password }},
data__disabled = {{ disabled }},
data__days_to_expiry = {{ days_to_expiry }},
data__mins_to_unlock = {{ mins_to_unlock }},
data__default_warehouse = '{{ default_warehouse }}',
data__default_namespace = '{{ default_namespace }}',
data__default_role = '{{ default_role }}',
data__default_secondary_roles = '{{ default_secondary_roles }}',
data__mins_to_bypass_mfa = {{ mins_to_bypass_mfa }},
data__rsa_public_key = '{{ rsa_public_key }}',
data__rsa_public_key_2 = '{{ rsa_public_key_2 }}',
data__comment = '{{ comment }}',
data__type = '{{ type }}',
data__enable_unredacted_query_syntax_error = {{ enable_unredacted_query_syntax_error }},
data__network_policy = '{{ network_policy }}'
WHERE
name = '{{ name }}' --required
AND endpoint = '{{ endpoint }}' --required
AND data__name = '{{ name }}' --required;
DELETE examples
- delete_user
Delete a user with the given name.
DELETE FROM snowflake.user.users
WHERE name = '{{ name }}' --required
AND endpoint = '{{ endpoint }}' --required
AND ifExists = '{{ ifExists }}';