CREATE AUTHENTICATION POLICY¶
Creates a new authentication policy in the current or specified schema or replaces an existing authentication policy. You can use authentication policies to define authentication controls and security requirements for accounts or users.
- See also:
ALTER AUTHENTICATION POLICY, DESCRIBE AUTHENTICATION POLICY, DROP AUTHENTICATION POLICY, SHOW AUTHENTICATION POLICIES
Syntax¶
CREATE [ OR REPLACE ] AUTHENTICATION POLICY [ IF NOT EXISTS ] <name>
[ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ COMMENT = '<string_literal>' ]
Required Parameters¶
name
Specifies the identifier for the authentication policy. If the identifier contains spaces or special characters, you must enclose the string in double quotation marks. Identifiers enclosed in double quotation marks are case-sensitive. The identifier must meet the identifier requirements.
Optional Parameters¶
CLIENT_TYPES = ( 'string_literal' [ , 'string_literal' , ... ] )
A list of clients that can authenticate with Snowflake. If a client tries to connect, and the client is not one of the valid
CLIENT_TYPES
, then the login attempt fails. This parameter accepts one or more of the following values:ALL
Allow all clients to authenticate.
SNOWFLAKE_UI
Snowsight or Classic Console, the Snowflake web interfaces.
DRIVERS
Drivers allow access to Snowflake from applications written in supported languages. For example, the Go, JDBC, .NET drivers, and Snowpipe Streaming.
Caution
If
DRIVERS
is not included in theCLIENT_TYPES
list, automated ingestion may stop working.SNOWSQL
A command-line client for connecting to Snowflake.
Default:
ALL
.AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )
Caution
Restricting by authentication method can have unintended consequences, such as blocking driver connections or third-party integrations.
A list of authentication methods that are allowed during login. This parameter accepts one or more of the following values:
ALL
Allow all authentication methods.
SAML
Allows SAML2 security integrations. If
SAML
is present, an SSO login option appears. IfSAML
is not present, an SSO login option does not appear.PASSWORD
Allows users to authenticate using username and password.
OAUTH
Allows External OAuth.
KEYPAIR
Allows Key pair authentication.
Default:
ALL
.SECURITY_INTEGRATIONS = ( 'string_literal' [ , 'string_literal' , ... ] )
A list of security integrations the authentication policy is associated with. This parameter has no effect when
SAML
orOAUTH
are not in theAUTHENTICATION_METHODS
list.All values in the
SECURITY_INTEGRATIONS
list must be compatible with the values in theAUTHENTICATION_METHODS
list. For example, ifSECURITY_INTEGRATIONS
contains a SAML security integration, andAUTHENTICATION_METHODS
containsOAUTH
, then you cannot create the authentication policy.ALL
Allow all security integrations.
Default:
ALL
.COMMENT = 'string_literal'
Specifies a description of the policy.
Access Control Requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
CREATE AUTHENTICATION POLICY |
Schema |
Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed. |
Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage Notes¶
After creating an authentication policy, you must use the ALTER ACCOUNT or ALTER USER command to set it on an account or user before Snowflake enforces the policy.
If you want to update an existing authentication policy and need to see the definition of the policy, run the DESCRIBE AUTHENTICATION POLICY command or GET_DDL function.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Example¶
Create an authentication policy named restrict_client_types_policy
that only allows access through Snowsight or the
Classic Console:
CREATE AUTHENTICATION POLICY restrict_client_types_policy
CLIENT_TYPES = ('SNOWFLAKE_UI')
COMMENT = 'Auth policy that only allows access through the web interface';