DESCRIBE SECRET

Describes the properties of a secret.

DESCRIBE can be abbreviated to DESC.

See also:

ALTER SECRET , CREATE SECRET , DROP SECRET , SHOW SECRETS

Syntax

{ DESC | DESCRIBE } SECRET <name>
Copy

Parameters

name

Specifies the identifier for the secret to describe. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.

Output

The command output provides secret properties and metadata in the following columns:

Column

Description

created_on

Date and time when the secret was created.

name

Name of the secret.

schema_name

Name of the schema that contains the secret.

database_name

Name of the database that contains the secret.

owner

Name of the role that owns the secret.

comment

Comment for the secret or NULL if a comment is not specified.

secret_type

Either OAUTH2, PASSWORD, or GENERIC.

username

The username that is stored in the secret.

oauth_access_token_expiry_time

The timestamp as a string when the OAuth access token expires.

oauth_refresh_token_expiry_time

The timestamp as a string when the OAuth refresh token expires or NULL if the secret does not store this value.

oauth_scopes

A comma-separated list of scopes to use when making a request from the OAuth server by a role with USAGE on the integration during the OAuth client credentials flow or NULL if there are no scopes.

integration_name

The name of the External API Authentication integration that is referenced in the secret or NULL if the secret does not reference an External API Authentication integration.

Access control requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

USAGE

Secret

Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes

  • Snowflake never returns the PASSWORD property value.

  • To post-process the output of this command, you can use the RESULT_SCAN function, which treats the output as a table that can be queried.

Examples

Describe the secret:

DESC SECRET service_now_creds_pw;
Copy