Snowflake Admin Series: Authentication Policies
I am back with another security feature, which is currently in private preview as part of my Snowflake Admin series. Firstly I would like to apologize for my long break but never mind, now I am back with my blogs for you. Hope you will like it, like always. This feature is available to all account, regardless of which Snowflake edition you are using.
Before we go deeper to this feature, let me tell you a short story.
Rob: Rajiv, I fed up telling these project team member to not use Snowflake Web UI using service account which was dedicated for deployment pipeline account, but they always log in in manually and fix deployment issue. How to stop doing them this?
Rajiv: Have you heard of Snowflake latest feature Authentication Policies ?
Rob: No, Why ?
Rajiv: That can help you restrict a particular snowflake user (human/non-human) and provide you with control over how a client or user authenticates by allowing you to specify their login type.
Rob: Really? Is that true? This can seriously resolve my issue. Thanks, Rajiv…!
Rob: But how will this get replicated to my DR account? Does this enhancement supported as part of replication?
Rajiv: Yes, it is supported…!
Rob: Thanks, how can I get this latest information ?
Rajiv: Follow me, and you will never miss any feature update :).
What is Authentication Policies?
Authentication policies help you take control on how you want a particular user /client to connect. This narrow down the security perimeter and scope of security lapse by reducing their diameter of access ways.
- Restrict client/user to choose one or multiple ways they can connect to snowflake using Snowsight or Classic Console, drivers, or SnowSQL (CLI client).
- You can also decide on the allowed authentication methods, such as SAML, passwords, OAuth, or Key pair authentication.
- If you have multiple IDP setup for a particular user, you can also decide to allow/restrict them to use either of them or both.
Where you can apply Authentication Policies?
You can apply the authentication policies at below 2 level:
- Account Level — Applies to all user in account. If not explicitly overridden at any user level.
- User Level — Applies for particular user level. Inherit default from account if nothing is set at user level.
What is the use-case for this feature?
All use case is revolving around the way or method of authentication for user in snowflake. Below are some examples from Snowflake documentation.
- You want to control the user login flows when there are multiple login options.
- You want to control the authentication methods, specific client types, and security integrations available for specific users or all users.
- You have customers building services on top of Snowflake using Snowflake drivers, but the customers do not want their users accessing Snowflake through Snowsight or the Classic Console.
- You want to offer multiple identity providers as authentication options for specific users.
Which security policy get precedence over other policy?
Below is the precedence of one policy over other policy in case all is defined.
How about some quick demo?
How can we create Authentication Policies at different level ?
Below are the 2 different ways you can apply authentication policies at account or user level.
--Create Authentication Policy
CREATE OR REPLACE AUTHENTICATION POLICY ACC_AUTH_POL_01
CLIENT_TYPES = ALL | SNOWFLAKE_UI | SNOWSQL | DRIVERS
AUTHENTICATION_METHODS = ALL | SAML| PASSWORD | OAUTH | KEYPAIR
SECURITY_INTEGRATIONS = ALL | API_AUTHENTICATION | EXTERNAL_OAUTH | OAUTH | SAML2 | SCIM
COMMENT = 'Account Level Authentication Policy' ;
--Set at account level
ALTER ACCOUNT SET AUTHENTICATION POLICY ACC_AUTH_POL_01;--Create Authentication Policy
CREATE OR REPLACE AUTHENTICATION POLICY USR_AUTH_POL_01
CLIENT_TYPES = ALL | SNOWSIGHT | SNOWSQL | DRIVERS | SNOWSQL
AUTHENTICATION_METHODS = ALL | SAML| PASSWORD | OAUTH | KEYPAIR
SECURITY_INTEGRATIONS = ALL | API_AUTHENTICATION | EXTERNAL_OAUTH | OAUTH | SAML2 | SCIM
COMMENT = 'User Level Authentication Policy' ;
--Set at user level
ALTER USER RAJIVG SET AUTHENTICATION POLICY USR_AUTH_POL_01;How to enable any custom role for authentication policy setup?
GRANT CREATE AUTHENTICATION POLICY ON SCHEMA AUTHENTICATIONPOLICY_DB.DEMO TO ROLE <CUSTOM_ROLE>;
GRANT APPLY AUTHENTICATION POLICY ON ACCOUNT TO ROLE <CUSTOM_ROLE>;Below is how it will block the user from login if Web UI is not the approved CLIENT_TYPES in authentication policy.
Things to remember:
- To amend the authentication policy, you need to fetch the existing policy before updating the new one. Authentication works to overwrite policy behavior, so if you don't take care, then you may end up losing the existing policy definition. Existing policy can be fetch using Describe or Get_DDL function.
- Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional custom roles as needed.
- Account level authentication policy applies to all user in the account, whereas user level applies to that particular user only. If this is set at both level than user level get preference over account level.
- Authentication policy references for users are replicated when specifying the database containing policy (ALLOWED_DATABASES = policy_db) and USERS in a replication group or failover group. Authentication policy gets replicated as part of the database object.
- Snowflake Authentication policy DDL reference can be found in Snowflake documentation.
- You need to unset authentication policy from user first to get that dropped.
- Use SHOW command to list down all authentication policies.
SHOW AUTHENTICATION POLICIES;Hope this blog helps you to get insight into the Authentication policy feature. If you are interested in learning more details about Snowflake Authentication policy, you can refer to Snowflake documentation. Feel free to ask a question in the comment section if you have any doubts regarding this. Give a clap if you like the blog. Stay connected to see many more such cool stuff. Thanks for your support.
You Can Find Me:
Subscribe to my YouTube Channel: https://www.youtube.com/c/RajivGuptaEverydayLearning
Follow me on Medium: https://rajivgupta780184.medium.com/
Follow me on X (formerly known as Twitter): https://twitter.com/RAJIVGUPTA780
Connect with me in LinkedIn: https://www.linkedin.com/in/rajiv-gupta-618b0228/
#Keep learning #Keep Sharing #Everyday Learning.
