Introduction to object tagging¶

What is a tag?¶

A tag is a schema-level object that can be assigned to another Snowflake object. Users associate a tag with an arbitrary string value when assigning the tag to a Snowflake object. Snowflake stores the tag and its string value as a key-value pair. The tag must be unique for your schema, and the tag value is always a string.

The following are general characteristics of object tagging:

An object can have multiple tags at the same time. For more information, see Tag quotas.
A single tag can be assigned to different object types at the same time (for example, a warehouse and a table simultaneously).
At the time of assignment, the tag string value can be duplicated or remain unique. For example, multiple tables can be assigned the cost_center tag and the tag can always have the string value sales. Alternatively, the string value could be different for each table (for example, engineering, marketing, and finance).

After defining the tags and assigning the tags to Snowflake objects, you can query them to monitor usage on objects and facilitate data governance operations, such as auditing and reporting.

Highlights¶

Ease of use:

Define a tag once and apply it to as many different objects as desirable.

Tag inheritance:

Because tags are inherited, applying the tag to objects higher in the securable objects hierarchy results in the tag being applied to all child objects. For example, if a tag is set on a table, the tag will be inherited by all columns in that table.

Automatic propagation:

Configure a tag so it automatically propagates to target objects from a source object.

Consistent assignment with replication:

Snowflake replicates tags and their assignments within the primary database to the secondary database.

Centralized or decentralized management:

Tags support different management approaches to facilitate compliance with internal and external regulatory requirements.

In a centralized approach, you can create a tag_admin custom role that creates and applies tags to Snowflake objects.

In a decentralized approach, individual teams apply tags to Snowflake objects and the tag_admin custom role creates tags to ensure consistent tag naming.

Using tags for data protection¶

Because tags can be assigned to tables, views, and columns, setting a tag and then querying the tag enables the discovery of a multitude of database objects and columns that contain sensitive information. Upon discovery, data stewards can determine how best to make that data available, such as selective filtering using row access policies, or using masking policies to determine whether the data is tokenized, fully masked, partially masked, or unmasked.

You can also combine object tagging and masking policies to simplify the governance of data. With this approach, you assign a masking policy to a tag, then assign that tag to a table or column. When the data type of a column matches the data type in the masking policy signature, the tagged column is automatically protected by the masking policy. For more information, see Tag-based masking policies.

Using tags to monitor resource usage¶

Assigning tags to warehouses enables accurate resource usage monitoring. Querying tags on resources allows for easy resource grouping by cost center or some other organization unit. Additionally, the tag can facilitate analyzing relatively short-term business activities, such as projects, to provide a more granular insight into what, when, and how resources were used.

For an example of using tags to monitor resource usage, see Setting up object tags for cost attribution.

How a tag gets associated with an object¶

A tag can be associated with an object in the following ways:

Someone manually set the tag on the object using a CREATE <object> or ALTER <object> command. See Set a tag.
The object inherited the tag from an object higher up in the Snowflake securable object hierarchy. For example, a warehouse in an account inherits tags set on the account. See Tag inheritance.
The tag was automatically propagated from one object to another. Tags can be propagated when an object depends on another object (for example, a view based on a tagged table) or when data moves from a tagged object to another object (for example, using a CTAS statement to create a table). See Automatic tag propagation with user-defined tags.
The tag was automatically set on a column that was classified as containing sensitive data. To learn how automatic sensitive data classification uses a tag map to set these tags, see About tag mapping.
Someone used the CREATE TABLE … LIKE or CREATE TABLE … CLONE command to create a table from an existing table with tags.

Determine how a tag was associated with an object¶

The following views and functions include the apply_method column, which shows how a tag was associated with an object.

View: ACCOUNT_USAGE.TAG_REFERENCES

Functions:

INFORMATION_SCHEMA.TAG_REFERENCES

INFORMATION_SCHEMA.TAG_REFERENCES_ALL_COLUMNS

ACCOUNT_USAGE.TAG_REFERENCES_WITH_LINEAGE

For example, to find whether a tag was set manually on the object or was propagated, you could execute the following command and check the value of the apply_method column.

SELECT tag_name, tag_value, apply_method, level, domain
  FROM TABLE(my_db.INFORMATION_SCHEMA.TAG_REFERENCES('my_table', 'TABLE'));

Copy

Tag quotas¶

You can set a maximum of 50 tags on a single object, including tables and views.

If you have reached the limit on tags and want to drop one, execute an ALTER <object> UNSET TAG statement.

Separate quota for columns¶

You can set a maximum of 50 different tags on the columns of a single table. This is a limit on all of the columns combined.

The column limit is separate from the limit on the number of tags set on a table. For example, suppose you create the following table with: tags on both the table and its columns:

CREATE TABLE t1 (
  COL1 INT WITH TAG (tag1='col1', tag2='col1'),
  COL2 INT WITH TAG (tag1='col2'),
  )
  WITH TAG (tag3='t1');

Copy

Snowflake allows you to do the following:

Set 49 more tags on the table t1.
Set 48 more tags on the columns of t1. The limit is on different tags, so tag1 isn’t counted twice.

If you run a CREATE TABLE or ALTER TABLE statement to apply tags on the columns of a table, the maximum number of unique tag-entity associations is 100, where an entity is the table or a column. For example, if you have a table with 1,000 columns and you want to associate the same tag with every column, you need to run 10 ALTER statements.

Capabilities that require Enterprise Edition¶

Creating and setting tags is available to all accounts. However, there are advanced capabilities that require Enterprise Edition or higher. Your account must be Enterprise Edition or higher to use the following capabilities:

Supported objects¶

The following table lists the supported objects for tags, including columns, based on the Snowflake securable object hierarchy.

A tag can be set on an object with a CREATE <object> statement or an ALTER <object> statement unless specified otherwise in the table below.

A tag can be set on a column using a CREATE TABLE, CREATE VIEW, ALTER TABLE … MODIFY COLUMN, or ALTER VIEW statement.

Object hierarchy	Supported objects	Notes
Organization	Account	A tag can be set on your current account by a role with the global APPLY TAG privilege.
Account	Application
	Application package
	Compute pool
	Database
	Failover group
	Integration	All types are supported. Use an ALTER INTEGRATION command to set a tag on the integration.
	Network policy	Use an ALTER NETWORK POLICY command to set a tag on a network policy.
	Replication group
	Role
	Share	Tags are set on the share by the data sharing provider. These tags are not visible to the data sharing consumer. Use an ALTER SHARE command to set a tag on the share.
	User
	Warehouse
Database	Database role	Use an ALTER DATABASE ROLE command to set a tag on a database role.
	Schema
Schema	Aggregation policy
	Alert
	BUDGET instance	Use an ALTER BUDGET command to set a tag on an instance of the SNOWFLAKE.CORE.BUDGET class.
	CLASSIFICATION instance	Use an ALTER SNOWFLAKE.ML.CLASSIFICATION command to set a tag on an instance of the SNOWFLAKE.ML.CLASSIFICATION class.
	Dynamic table
	Event table
	External function and UDF	Use an ALTER FUNCTION command to set a tag on an external function or UDF.
	External table	You can create an external table with a tag using a CREATE EXTERNAL TABLE statement. To manage tag assignments on an external table, use the ALTER TABLE command.
	Git repository
	Apache Iceberg™ table
	Image repository
	Join policy
	Materialized view
	Notebook
	Password policy
	Pipe	Set a tag on a pipe with an ALTER PIPE statement.
	Policy	Set a tag on a masking, password, row access, session, aggregation, join, or projection policy with the corresponding ALTER <policy> statement.
	Procedure	Set a tag on a stored procedure with an ALTER PROCEDURE statement.
	Projection policy
	Session policy
	Snapshot
	Stage	Set a tag on a stage with an ALTER STAGE statement.
	Stream
	Streamlit
	Table
	Task	Set a tag on a task with an ALTER TASK statement.
	View
Table or View	Column	Includes event tables.

Limitations and considerations¶

Future grants:

Future grants of privileges on tags are not supported.

As a workaround, grant the APPLY TAG privilege to a custom role to allow that role to apply tags to another object.

Snowflake Native App:

Use caution when creating the setup script when tags exist in a versioned schema. For information, see version schema considerations.