Schemas:

ACCOUNT_USAGE , READER_ACCOUNT_USAGE

LOGIN_HISTORY view¶

This Account Usage view can be used to query login attempts by Snowflake users within the last 365 days (1 year).

Details about the error codes/messages for login attempts that were unsuccessful can be found in the following documentation:

Columns¶

Column Name

Data Type

Description

READER_ACCOUNT_NAME

VARCHAR

Name of the reader account for the user authentication event. This column is only included in the view in the READER_ACCOUNT_USAGE schema.

EVENT_ID

NUMBER

Internal/system-generated identifier for the login attempt.

EVENT_TIMESTAMP

TIMESTAMP_LTZ

Time (in the UTC time zone) of the event occurrence.

EVENT_TYPE

VARCHAR

Event type, such as LOGIN for authentication events.

USER_NAME

VARCHAR

User associated with this event.

CLIENT_IP

VARCHAR

IP address where the request originated.

REPORTED_CLIENT_TYPE

VARCHAR

Reported type of the client software, such as JDBC_DRIVER, ODBC_DRIVER, and so on. This information is not authenticated.

REPORTED_CLIENT_VERSION

VARCHAR

Reported version of the client software. This information is not authenticated.

FIRST_AUTHENTICATION_FACTOR

VARCHAR

Method used to authenticate the user (the first factor in multi factor authentication, if used).

SECOND_AUTHENTICATION_FACTOR

VARCHAR

The second factor in multi factor authentication. If the user did not use multi-factor authentication, this value is NULL.

IS_SUCCESS

VARCHAR

Whether the user’s request was successful or not.

ERROR_CODE

NUMBER

Error code, if the request was not successful.

ERROR_MESSAGE

VARCHAR

Error message returned to the user, if the request was not successful.

RELATED_EVENT_ID

NUMBER

Reserved for future use.

CONNECTION

VARCHAR

Name of the connection used by the client, or NULL if the client is not using a connection URL. A connection is a Snowflake object that is part of Client Redirect. It represents a connection URL that you can use to fail over to another account for business continuity and disaster recovery. . , NOTE: If a client authenticates through an identity provider (IdP) that is configured with the account URL rather than the connection URL, the IdP directs the client to the account URL after authentication is complete. The CONNECTION column for this login event is NULL. See Authentication and Client Redirect.

CLIENT_PRIVATE_LINK_ID

VARCHAR

If the user logged in using private connectivity, specifies the identifier of the endpoint from which the request originated.

FIRST_AUTHENTICATION_FACTOR_ID

VARCHAR

ID of the credential used to authenticate the user (the first factor in multi-factor authentication, if used).

SECOND_AUTHENTICATION_FACTOR_ID

VARCHAR

ID of the credential used for the second factor in multi-factor authentication. If the user did not use multi-factor authentication, this value is NULL.

Usage notes¶

  • Latency for the view may be up to 120 minutes (2 hours).

  • INTERNAL_SNOWFLAKE_IP/0.0.0.0 appears as the client IP for login events triggered by internal Snowflake operations that support your usage. For example:

    • Because worksheets exist as unique sessions, when a user accesses a worksheet in Snowsight, Snowflake creates a login event that originates from INTERNAL_SNOWFLAKE_IP/0.0.0.0.

    • When a Snowpark Container Services service logs into Snowflake, the client IP is masked to INTERNAL_SNOWFLAKE_IP/0.0.0.0.

  • This view does not record the activity of internal users the system defines to perform various operations (e.g. maintain Snowsight worksheets).