Table: snowflake_user - Query OCI Snowflake Users using SQL
Snowflake is a cloud-based data warehousing platform that enables data storage, processing, and analytic solutions. It is designed to support and manage all aspects of data, analytics, and application integration. Snowflake is built on top of the Amazon Web Services (AWS) cloud infrastructure and is a scalable and elastic solution that can handle high volumes of data and concurrent workloads.
Table Usage Guide
The snowflake_user table provides insights into users within the OCI Snowflake service. As a data analyst or database administrator, explore user-specific details through this table, including user properties, roles, and status. Utilize it to manage user access, track user activity, and ensure compliance with your organization's data usage policies.
Examples
Basic info
Explore user profiles on your Snowflake platform to understand their access level and recent activity. This aids in maintaining security by identifying unusual behavior or inactive accounts.
select name, login_name, disabled, default_role, default_warehouse, has_password, has_rsa_public_key, last_success_loginfrom snowflake_user;select name, login_name, disabled, default_role, default_warehouse, has_password, has_rsa_public_key, last_success_loginfrom snowflake_user;List users that have passwords
Discover the segments that have passwords in the Snowflake user base to assess the elements within the user configuration. This can help in identifying instances where users may have potential security risks.
select name, login_name, disabled, default_role, default_warehousefrom snowflake_userwhere has_password;select name, login_name, disabled, default_role, default_warehousefrom snowflake_userwhere has_password = 1;List users whose passwords haven't been rotated in 90 days
Assess the elements within your user base to identify those who haven't updated their passwords in the past 90 days. This can be useful for enforcing security standards and ensuring regular password rotation.
select name, login_name, disabled, default_role, default_warehouse, has_password, password_last_set_time :: timestampfrom snowflake_userwhere has_password and password_last_set_time :: timestamp < now() - interval '90 days';select name, login_name, disabled, default_role, default_warehouse, has_password, datetime(password_last_set_time)from snowflake_userwhere has_password and datetime(password_last_set_time) < datetime('now', '-90 days');List users using keypair authentication
Discover the segments that use keypair authentication to gain insights into the security measures in place for user access. This can be useful in assessing the strength and variety of authentication methods employed within your system.
select name, login_name, disabled, rsa_public_key, rsa_public_key_fp, rsa_public_key_2, rsa_public_key_2_fpfrom snowflake_userwhere has_rsa_public_key;select name, login_name, disabled, rsa_public_key, rsa_public_key_fp, rsa_public_key_2, rsa_public_key_2_fpfrom snowflake_userwhere has_rsa_public_key = 1;List users that have not logged in for 30 days
Identify users who haven't engaged with your platform in the last month. This can help in tailoring re-engagement strategies and understanding user activity patterns.
select name, email, disabled, last_success_loginfrom snowflake_userwhere last_success_login is null or (last_success_login < now() - interval '30 days');select name, email, disabled, last_success_loginfrom snowflake_userwhere last_success_login is null or (last_success_login < datetime('now', '-30 days'));Control examples
- Snowflake Security Overview and Best Practices > Data Encryption > Enable periodic rekeying in Snowflake
- Snowflake Security Overview and Best Practices > Data Encryption > Enable Tri-Secret Secure in the target account when using the database Replication
- Snowflake Security Overview and Best Practices > Data Encryption > Use automatic key rotation for the CMK as provided by the cloud provider
- Snowflake Security Overview and Best Practices > Data Encryption > Use built-in encryption functions in addition to the transparent encryption to encrypt/decrypt certain columns
- Snowflake Security Overview and Best Practices > Data Encryption > Use Tri-Secret Secure
- Snowflake Security Overview and Best Practices > Identity and Access Management > ACCOUNTADMIN role must not be set as the default role for users
- Snowflake Security Overview and Best Practices > Identity and Access Management > Disable Snowflake authentication for all non-administrator users
- Snowflake Security Overview and Best Practices > Identity and Access Management > Enable MFA for users to provide an additional layer of security
- Snowflake Security Overview and Best Practices > Identity and Access Management > Ensure an email address is specified for users with ACCOUNTADMIN role
- Snowflake Security Overview and Best Practices > Identity and Access Management > Set the default_role property for users
- Snowflake Security Overview and Best Practices > Monitoring > User passwords should be rotated at regular intervals
- Snowflake Security Overview and Best Practices > Network Security > Allow firewall to connect client applications to Snowflake
- Snowflake Security Overview and Best Practices > Network Security > Allow Snowflake to access your cloud storage location
- Snowflake Security Overview and Best Practices > Network Security > Use private connectivity with Snowflake
Schema for snowflake_user
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account | text | =, !=, ~~, ~~*, !~~, !~~* | The Snowflake account ID. |
| comment | text | Comment associated to user in the dictionary. | |
| created_on | timestamp with time zone | Timestamp when the user was created. | |
| custom_landing_page_url | text | Snowflake Support is allowed to use the user or account. | |
| custom_landing_page_url_flush_next_ui_load | boolean | The timestamp on which the last non-null password was set for the user. Default to null if no password has been set yet. | |
| days_to_expiry | text | User record will be treated as expired after specified number of days. | |
| default_namespace | text | Default database namespace prefix for this user. | |
| default_role | text | Primary principal of user session will be set to this role. | |
| default_secondary_roles | text | The secondary roles will be set to all roles provided here. | |
| default_warehouse | text | Default warehouse for this user. | |
| disabled | text | Whether the user is disabled. | |
| display_name | text | Display name of the user. | |
| text | Email address of the user | ||
| expires_at_time | timestamp with time zone | The date and time when the user's status is set to EXPIRED and the user can no longer log in. | |
| ext_authn_duo | boolean | Whether Duo Security is enabled as second factor authentication. | |
| ext_authn_uid | text | External authentication ID of the user. | |
| first_name | text | First name of the user. | |
| has_password | boolean | Whether the user has password. | |
| has_rsa_public_key | boolean | Whether the user has RSA public key. | |
| last_name | text | Last name of the user. | |
| last_success_login | timestamp with time zone | Date and time when the user last logged in to the Snowflake. | |
| locked_until_time | timestamp with time zone | Specifies the number of minutes until the temporary lock on the user login is cleared. | |
| login_name | text | Login name of the user. | |
| mins_to_bypass_mfa | text | Temporary bypass MFA for the user for a specified number of minutes. | |
| mins_to_bypass_network_policy | text | Temporary bypass network policy on the user for a specified number of minutes. | |
| mins_to_unlock | text | Temporary lock on the user will be removed after specified number of minutes. | |
| must_change_password | text | User must change the password. | |
| name | text | Name of the snowflake user. | |
| owner | text | Owner of the user in Snowflake. | |
| password_last_set_time | text | The timestamp on which the last non-null password was set for the user. Default to null if no password has been set yet. | |
| region | text | The Snowflake region in which the account is located. | |
| rsa_public_key | text | RSA public key of the user. | |
| rsa_public_key_2 | text | Second RSA public key of the user. | |
| rsa_public_key_2_fp | text | Fingerprint of user's second RSA public key. | |
| rsa_public_key_fp | text | Fingerprint of user's RSA public key. | |
| snowflake_lock | text | Whether the user or account is locked by Snowflake. | |
| snowflake_support | text | Snowflake Support is allowed to use the user or account. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- snowflakeYou can pass the configuration to the command with the --config argument:
steampipe_export_snowflake --config '<your_config>' snowflake_user