Object Tagging

Tags enables data stewards to track sensitive data for compliance, discovery, protection, and resource usage use cases through either a centralized or decentralized data governance management approach.

In this Topic:

What is a Tag?

A tag is a schema-level object that can be associated to another Snowflake object. A tag can be assigned an arbitrary string value upon associating the tag to a Snowflake object. Snowflake stores the tag and its string value as a key-value pair in the form key = 'value'. In this example, cost_center = 'sales', cost_center is the tag and 'sales' is the string value. The tag must be unique for your schema and the tag value is always a string.

A single tag can be assigned to different object types at the same time (e.g. warehouse and table simultaneously). At the time of association to the Snowflake object, the tag string value can be duplicated or remain unique. For example, multiple tables can be assigned the cost_center tag and the tag can always have the string value be 'sales'. Alternatively, the string value could be different (e.g. 'engineering', 'marketing', 'finance'). After defining the tags and assigning tags to Snowflake objects, tags can be queried to track usage on the objects to facilitate data governance operations, such as tracking, auditing, and reporting.

Snowflake supports assigning tags to the following Snowflake objects and columns:

Because tags can be assigned to tables, views, and columns, setting a tag and then querying the tag enables the discovery of a multitude of database objects and columns that contain sensitive information. Upon discovery, data stewards can determine how best to make that data available, such as selective filtering using row access policies, or using masking policies to determine whether the data is tokenized, fully masked, partially masked, or unmasked.

Assigning tags to warehouses enables accurate resource usage tracking. Querying tags on resources allows for easy resource grouping by cost center or other organization units. Additionally, the tag can facilitate analyzing relatively short-term business activities, such as projects, to provide a more granular insight into what, when, and how resources were used.

Tag Lineage

Snowflake recommends defining the tag keys as closely as possible to the securable object hierarchy in your Snowflake environment. A tag is inherited based on the Snowflake securable object hierarchy.

The tag administrator can apply masking policies to tables and views.

Tag inheritance means that if a tag is applied to a table, the tag also applies to the columns in that table. This behavior is referred to as tag lineage.

The inherited tag can be overridden on a given object. If a table column inherits the tag cost_center = 'sales', the tag can be replaced with a more specific tag such as cost_center = 'sales_na', where na specifies the North America sales cost center. Additionally, a new tag can be applied to the table column (e.g. classification = 'secret').

After defining the tag keys and assigning tags to Snowflake objects, track the tags, tag references, and tag lineage using the specified table functions or query the views as shown in Implementing Tags (in this topic).

Tag Benefits

Ease of Use

Define a tag once and apply it to as many different objects as desirable.

Tag Lineage

Since tags are inherited, applying the tag to objects higher in the securable objects hierarchy results in the tag being applied to all child objects. For example, if a tag is set on a table, the tag will be inherited by all columns in that table.

Consistent Assignment with Replication

Snowflake replicates tags and their associations within the primary database to the secondary database.

For more information, see Replication (in this topic).

Sensitive Data Tracking and Resource Usage

Tags simplify identifying sensitive data (e.g. PII, Secret) and bring visibility to Snowflake resource usage. With data and metadata in the same system, analysts can quickly determine which resources consume the most Snowflake credits based on the tag definition (e.g. cost_center, department).

Centralized or Decentralized Management

Tags supports different management approaches to facilitate compliance with internal and external regulatory requirements.

In a centralized approach, the tag_admin custom role creates and applies tags to Snowflake objects.

In a decentralized approach, individual teams apply tags to Snowflake objects and the tag_admin custom role creates tags to ensure consistent tag naming.

Using Tags with Snowflake Objects and Features

The following describes how tags affect objects and features in Snowflake.

Account-level Objects

Snowflake supports assigning tags to the following account-level objects:

  • Warehouse

  • Database

  • User

  • Role

Database-level Objects

  • Schema

Schema-level Objects

Snowflake supports assigning tags to the following schema-level objects:

  • Table

  • External table

  • View

  • Materialized view

  • Stage

CREATE TABLE Statements

With CREATE TABLE … LIKE, tags associated with the source table are associated with the target table.

Replication

Tags can be replicated.

The replication operation fails if either of the following conditions is true:

  • The primary database is in an Enterprise (or higher) account and contains a tag but one or more of the accounts approved for replication are on lower editions.

  • An object contained in the primary database has a reference to a tag in another database.

    Note

    If using failover or failback actions, the Snowflake account must be Business Critical Edition or higher.

    For more information, see Database Replication and Failover/Failback.

Cloning

Snowflake supports the following tag behavior during clone operations:

  • Tag associations in the source object are maintained in the cloned objects.

  • If cloning a database or schema, tags residing in that database or schema are also cloned.

  • After cloning, objects and their tag associations are mapped to the cloned objects and tags, not the original objects and tags.

Implementing Tags

Implementing tags in Snowflake is a four-step process:

  1. Define a custom role and assign privileges.

  2. Create a tag using a CREATE TAG statement.

  3. Associate a tag to a Snowflake object using the ALTER <object> command.

  4. Track tags through table functions and views.

For simplicity, these steps assume a centralized management approach to tags, where the tag_admin custom role has both the CREATE and APPLY privileges for the tag.

Step 1: Create a Custom Role and Assign Privileges

In a centralized management approach, the tag_admin custom role is responsible for creating and assigning tags to Snowflake objects.

Note that this example uses the ACCOUNTADMIN system role. If using this higher-privileged role in a production environment is not desirable, verify that the role assigning privileges to the tag_admin custom role has the necessary privileges to qualify the tag_admin custom role. For more information, see Managing Tags (in this topic).

use role useradmin;
create role tag_admin;
use role accountadmin;
grant create tag on schema <schema_name> to role tag_admin;
grant apply tag on account to role tag_admin;

Step 2: Create a Tag

Execute a CREATE TAG statement to create a tag.

use role tag_admin;
use schema my_db.my_schema;
create tag cost_center;

Step 3: Associate a Tag to a Snowflake Object

Associate a tag to a Snowflake object using an ALTER <object> statement.

For example, to set a tag on a warehouse, use the ALTER WAREHOUSE command.

use role tag_admin;
alter warehouse wh1 set tag cost_center = 'sales';

To set or unset a tag on a column, use the ALTER TABLE … MODIFY COLUMN command for a table column or the ALTER VIEW … MODIFY COLUMN command for a view column. Note that more than one tag can be set or unset in a single statement.

-- For a table or external table column

alter table <table_name> modify column <column_name> set tag <tag_key> = '<tag_value>' [ , <tag_key> = ’<tag_value>’ , ... ];
alter table <table_name> modify column <column_name> unset <tag_key> [ , <tag_key> , ... ];

-- For a view or materialized view column

alter view <view_name> modify column <column_name> set tag <tag_key> = '<tag_value>' [ , <tag_key> = ’<tag_value>’ , ... ];
alter view <view_name> modify column <column_name> unset <tag_key> [ , <tag_key> , ... ];

Step 4: Track the Tag Usage

You can track tag usage through two different Account Usage views, an Information Schema table function, an Account Usage table function, and the GET_TAG function.

  • To obtain a list of all tags in your account, query the Account Usage TAGS View:

    select * from snowflake.account_usage.tags
    order by tag_name;
    
  • To obtain a list of all associations between tags and Snowflake objects, query the Account Usage TAG_REFERENCES View:

    select * from snowflake.account_usage.tag_references
    order by tag_name, domain, object_id;
    
  • To list associations between tags and Snowflake objects, use the Information Schema table function TAG_REFERENCES:

    select *
     from table(my_db.information_schema.tag_references('my_table', 'table'));
    
  • To list all tag associations to Snowflake objects and to obtain the tag lineage for the specified tag, use the Account Usage table function TAG_REFERENCES_WITH_LINEAGE:

    select *
      from table(snowflake.account_usage.tag_references_with_lineage('my_db.my_schema.cost_center'));
    
  • To return the tag value associated with the specified tag, and the Snowflake object or column, use the SYSTEM$GET_TAG function.

    select system$get_tag('cost_center', 'my_table', 'table');
    

Managing Tags

Tag Privileges

Snowflake supports the following privileges to determine whether users can create, set, and own tags.

Privilege

Usage

CREATE

Enables creating a new tag in a schema.

APPLY

Enables the add and drop operations for the tag on a Snowflake object.

OWNERSHIP

Transfers ownership of the tag, which grants full control over the tag. Required to alter most properties of a tag.

Note

Tags are stored at the schema level.

Operating on a tag requires the USAGE privilege on the parent database and schema.

Tag DDL Reference

Snowflake supports the following DDL to create and manage tags.

Note that Snowflake does not support the describe operation for the tag object.

Summary of DDL Commands, Operations, and Privileges

The following table summarizes the relationship between tag privileges and DDL operations.

Operation

Privilege required

Create tag.

A role with the USAGE privilege on the parent database and schema with the CREATE TAG privilege in the same schema.

Alter tag.

The role with the OWNERSHIP privilege on the tag.

Drop tag.

A role with the OWNERSHIP privilege on the tag and the USAGE privilege on the database and schema in which the tag exists.

Show tags.

One of the following: . A role with the USAGE privilege on the schema in which the tags exist, or . A role with the APPLY TAG on ACCOUNT permission.

Set or unset a tag on an object.

For individual objects, a role with the APPLY TAG privilege on the account, or the APPLY TAG privilege on the tag and the OWNERSHIP privilege on the object on which the tag is set.

Set or unset a tag on a column.

A role with the APPLY privilege on the tag and the OWNERSHIP privilege on the table or view.

Get tags on an object.

See SYSTEM$GET_TAG, TAG_REFERENCES, and TAG_REFERENCES_WITH_LINEAGE.