Categories:

System functions (System Information)

SYSTEM$ISSUE_WORKLOAD_IDENTITY_FEDERATION_TOKEN

Returns an ID token that a Snowflake workload can send to an external service for authentication purposes.

For more information about using this function, see Workload identity federation for Snowflake workloads that access external services.

Syntax

SYSTEM$ISSUE_WORKLOAD_IDENTITY_FEDERATION_TOKEN(
  '<workload_identity_secret>',
  '<audience>' )

Arguments

'workload_identity_secret'

Fully qualified name of the secret that was created for the Snowflake workload that is authenticating with workload identity federation.

The type of the secret must be WORKLOAD_IDENTITY_FEDERATION.

'audience'

Specifies the audience of the ID token in JSON format. The function uses this value to set the aud claim of the ID token.

The audience is specified in the following format:

{ "aud": "<audience_identifier>" }

Returns

Returns an encoded ID token that conforms to the OIDC specification.

Examples

Generate an ID token for the workload that created the my_workload secret so it could authenticate with workload identity federation. The workload intends to send the ID token to the service identified by example_cloud_service.com.

SELECT SYSTEM$ISSUE_WORKLOAD_IDENTITY_FEDERATION_TOKEN(
  'my_db.auth.my_workload',
  '{
    "aud": "example-cloud-service.com"
    }'
  );