ALTER USER … REMOVE KEY PAIR¶
Removes a named key pair from a user.
Syntax¶
Parameters¶
usernameThe name of the user that the key pair is associated with.
If you omit this parameter, the command removes the key pair for the user who is currently logged in (the active user in the current session).
REMOVE KEY PAIR key_pair_nameRemoves the named key pair.
The names
PUBLIC_KEY_1andPUBLIC_KEY_2are reserved for keys assigned with the legacyRSA_PUBLIC_KEYandRSA_PUBLIC_KEY_2user properties and can’t be removed through this command. Use ALTER USER … UNSET RSA_PUBLIC_KEY to remove those legacy keys.
Access control requirements¶
A role used to execute this operation must have the following privileges at a minimum:
| Privilege | Object | Notes |
|---|---|---|
| MODIFY PROGRAMMATIC AUTHENTICATION METHODS | User | Required to remove a key pair. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
- You cannot use a removed key pair for authentication.
- You cannot recover a removed key pair. To reinstate the same public key, run ALTER USER … ADD KEY PAIR again with the desired public key.
- The removed key pair’s name becomes available immediately and can be reused in a subsequent ALTER USER … ADD KEY PAIR. (Rotated-out key pairs, by contrast, retain their
_ROTATED_<epoch_ms>tombstone name until they expire.) - If you only want to temporarily block a key pair from being used for authentication, use ALTER USER … MODIFY KEY PAIR … SET DISABLED = TRUE instead.
Examples¶
Remove a key pair named my_key from the user example_user: