ALTER SECRET¶
Modifies the properties of an existing secret.
- See also:
CREATE SECRET , DESCRIBE SECRET , DROP SECRET , SHOW SECRETS
Syntax¶
OAuth with Client Credentials Flow:
ALTER SECRET [ IF EXISTS ] <name> SET [ API_AUTHENTICATION = <security_integration_name> ] [ OAUTH_SCOPES = ( '<scope_1>' [ , '<scope_2>' ... ] ) ] [ ENABLED = { TRUE | FALSE } ] [ COMMENT = '<string_literal>' ] ALTER SECRET [ IF EXISTS ] <name> UNSET { ENABLED | COMMENT }
OAuth with Code Grant Flow:
ALTER SECRET [ IF EXISTS ] <name> SET [ OAUTH_REFRESH_TOKEN = '<token>' ] [ OAUTH_REFRESH_TOKEN_EXPIRY_TIME = '<string_literal>' ] [ API_AUTHENTICATION = <security_integration_name> ] [ ENABLED = { TRUE | FALSE } ] [ COMMENT = '<string_literal>' ] ALTER SECRET [ IF EXISTS ] <name> UNSET { ENABLED | COMMENT }
Basic Authentication:
ALTER SECRET [ IF EXISTS ] <name> SET [ USERNAME = '<username>' ] [ PASSWORD = '<password>' ] [ ENABLED = { TRUE | FALSE } ] [ COMMENT = '<string_literal>' ] ALTER SECRET [ IF EXISTS ] <name> UNSET { ENABLED | COMMENT }
OAuth with Client Credentials or Authorization Code Flow Parameters¶
name
String that specifies the identifier (i.e. name) for the secret, must be unique in your schema.
SET ...
Specifies one (or more) parameters to set (separated by blank spaces, commas, or new lines).
API_AUTHENTICATION = security_integration_name
Specifies the
name
value of the Snowflake security integration that connects Snowflake to an external service.OAUTH_SCOPES = ( 'scope_1' [ , 'scope_2' ... ] )
Specifies a comma-separated list of scopes to use when making a request from the OAuth server by a role with USAGE on the integration during the OAuth client credentials flow.
This list must be a subset of the scopes defined in the
OAUTH_ALLOWED_SCOPES
property of the security integration. If theOAUTH_SCOPES
property values are not specified, the secret inherits all of the scopes that are specified in the security integration.
OAuth with Code Grant Flow Parameters¶
name
String that specifies the identifier (i.e. name) for the secret, must be unique in your schema.
SET ...
Specifies one (or more) parameters to set (separated by blank spaces, commas, or new lines).
OAUTH_REFRESH_TOKEN = 'token'
Specifies the token as a string that is used to obtain a new access token from the OAuth authorization server when the access token expires.
OAUTH_REFRESH_TOKEN_EXPIRY_TIME = 'string_literal'
Specifies the timestamp as a string when the OAuth refresh token expires.
API_AUTHENTICATION = security_integration_name
Specifies the
name
value of the Snowflake security integration that connects Snowflake to an external service.
Basic Authentication Parameters¶
name
String that specifies the identifier (i.e. name) for the secret, must be unique in your schema.
SET ...
Specifies one (or more) parameters to set for the session (separated by blank spaces, commas, or new lines).
USERNAME = 'username'
Specifies the username value to store in the secret.
Specify this property value when using a secret for basic authentication (i.e. the secret is
TYPE = PASSWORD
).PASSWORD = 'password'
Specifies the password value to store in the secret.
Specify this property value when using a secret for basic authentication (i.e. the secret is
TYPE = PASSWORD
).
Common Parameters: All Syntaxes¶
SET ...
Specifies one (or more) parameters to set for the session (separated by blank spaces, commas, or new lines).
ENABLED = TRUE | FALSE
Specifies whether to make the secret available for use.
TRUE
allows using the secret.FALSE
suspends using the secret. Any object that calls the secret (e.g. external function) fails to work.
Default:
TRUE
.COMMENT = 'string_literal'
String (literal) that specifies a comment for the secret.
Default: No value
UNSET ...
Specifies one (or more) properties/parameters to unset for the secret, which resets them back to their defaults:
ENABLED
COMMENT
Access Control Requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
OWNERSHIP |
Secret |
OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege). |
Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.
For instructions on creating a custom role with a specified set of privileges, see Creating Custom Roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage Notes¶
Currently, the secret object can only be used in the context of the ServiceNow connector. For details, refer to the Snowflake Connector for ServiceNow.
Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata Fields in Snowflake.