Snowflake Sessions & Session Policies¶
This topic describes Snowflake sessions and session policies and provides instructions for configuring session policies at the account or user level.
Snowflake Sessions¶
A session begins when a user connects to Snowflake and authenticates successfully using a Snowflake programmatic client, Snowsight, or the Classic Console. A session is independent of an identity provider (i.e. IdP) session. If the Snowflake session expires but the IdP session remains active, a user can log in to Snowflake without entering their login credentials again (i.e. silent authentication).
A session is maintained indefinitely with continued user activity. After a period of inactivity in the session, known as the idle session timeout, the user must authenticate to Snowflake again. The idle session timeout has a maximum value of four hours and a session policy can modify the idle session timeout period. The idle session timeout applies to the following:
Supported connectors and drivers.
Third-party clients that connect to Snowflake using a supported connector or driver.
Snowflake recommends reusing existing sessions when possible and to close the connection to Snowflake when a session is no longer needed.
Snowsight Sessions¶
Snowflake creates a new session for each worksheet in Snowsight. A worksheet session enforces the session policy that applies to the user that creates the worksheet.
Caution
Active queries are not canceled when the session ends and the user is logged out, even if the ABORT_DETACHED_QUERY parameter is set to true.
Classic Console Sessions¶
In the Worksheets tab, Snowflake creates a new session every time a new worksheet is created. Each worksheet is limited to a maximum of 4 hours of idle behavior, and the idle timeout for each worksheet is tracked separately.
When a worksheet is closed, the user session for the worksheet ends.
After the 4-hour time limit expires for any open worksheet, Snowflake logs the user out of the web interface.
Note
Note that passive behaviors such as scrolling through the query result set or sorting a data set do not reset the idle session timeout tracker.
To prevent a session from closing too early and being logged out of the Classic Console, save any necessary SQL statements to a local file and close any open worksheets that are not in use.
Monitor Session Usage¶
You can monitor active sessions and session usage using Snowsight or a SQL view. You can view your own sessions, or use a role with access to view the SESSIONS view to view sessions for your account. See ACCOUNT_USAGE schema SNOWFLAKE database roles.
- SQL:
Query the SESSIONS view in the ACCOUNT USAGE schema of the shared SNOWFLAKE database to monitor session usage.
- Snowsight:
Select Admin » Security, and then select Sessions. You can review the session ID, user name, start time, client driver in use for the session, client net address, and authentication method. Hover over the start time to view the exact date and time that the session started, in your local time zone.
Session Policies¶
A session policy defines the idle session timeout period in minutes and provides the option to override the default idle timeout
value. The timeout period begins upon a successful authentication to Snowflake. The minimum configurable idle timeout value for a session
policy is 5
minutes.
If a session policy is not set, Snowflake uses a default value of 240
minutes (four hours).
When the session expires, the user must authenticate to Snowflake again. However, Snowflake does not enforce any setting defined by the Custom logout endpoint.
The session policy can be set for an account or user with configurable idle timeout periods to address compliance requirements. If a user is associated with both an account and user-level session policy, the user-level session policy takes precedence. After the session policy is set on the account or user, Snowflake enforces the session policy.
There are two properties that govern the session policy behavior:
SESSION_IDLE_TIMEOUT_MINS
for programmatic and Snowflake Clients.SESSION_UI_IDLE_TIMEOUT_MINS
for the Classic Console and Snowsight.
For more information, see Managing session policies.
Secondary roles in a session policy¶
When a user connects to Snowflake and the session begins, the user can activate secondary roles with a USE SECONDARY ROLES command. However, as a security administrator, you might want to manage the secondary roles that are available to an individual user, groups of users, and the entire account. Managing secondary roles helps to scope the set of privileges available to a user for the duration of the session.
To meet these management needs, you can set the ALLOWED_SECONDARY_ROLES
property in a session policy and set the session policy on
the account or a user in the account. Then the user can run a USE SECONDARY ROLES command and specify the secondary roles that they can use
during the Snowflake session.
For examples, see Specifying secondary roles in a session policy.
Note
When you set the ALLOWED_SECONDARY_ROLES
property in a session policy, the enforcement of the secondary roles begins when a new
session starts. You can start a new Snowflake session by logging into Snowflake or opening a new worksheet in Snowsight.
Prior to updating the session policy to evaluate secondary roles, consider your workload schedule and the access control for each workload to avoid unnecessary workload disruption.
Considerations¶
If a client supports the CLIENT_SESSION_KEEP_ALIVE option and the option is set to
TRUE
, the client preserves the Snowflake session indefinitely as long as the connection to Snowflake is active. Otherwise, if the option is set toFALSE
, the session ends after 4 hours. When possible, avoid using this option since it can result in many open sessions and place a greater demand on resources which can lead to a performance degradation.You can use the CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY parameter to specify the number of seconds between client attempts to update the token for the session. The web interface session can be refreshed as Snowflake objects continue to be used, such as executing DDL and DML statements. Snowflake checks for this behavior every 30 seconds.
Creating a new worksheet or opening an existing worksheet continues to use the established user session but with its idle session timeout reset to 0.
Limitations¶
- Future grants:
Future grants of privileges on session policies are not supported.
As a workaround, grant the APPLY SESSION POLICY privilege to a custom role to allow that role to apply session policies on a user or the Snowflake account.