Replication: Add support for secret object

Attention

This behavior change is in the 2023_08 bundle.

For the current status of the bundle, refer to Bundle History.

The behavior of replicating a secret is as follows:

Before the change:

The secret object is not included in the database that contains the secret when you replicate the database.

After the change:

You can replicate the secret using a replication or failover group. Specify the database that contains the secret, the database that contains UDFs or procedures that reference the secret, and the integrations that reference the secret in a single replication or failover group.

If you have the database that contains the secret in one replication or failover group and the integration that references the secret in a different replication or failover group then:

  • If you replicate the integration first and then the secret, the operation is successful: all objects are replicated and there are no dangling references.

  • If you replicate the secret before the integration and the secret does not already exist in the target account, a “placeholder secret” is added in the target account to prevent a dangling reference. Snowflake maps the placeholder secret to the integration.

    After you replicate or failover the group that contains the integration and failover the group that contains the secret again, Snowflake updates the target account to replace the placeholder secret with the secret that is referenced in the integration.

  • If you replicate the secret and do not replicate or failover the group that contains the integration, when you decide to failover the target account back to the source account the secret and integration references match and the placeholder secret is not used. This allows you to use the security integration and the secret that contains the credentials.

Ref: 1274

Language: English