ALTER USER … ROTATE PROGRAMMATIC ACCESS TOKEN (PAT)¶

Rotates programmatic access token, generating a new token secret with an extended expiration time, and expiring the existing token secret. The new secret is generated using the same DAYS_TO_EXPIRY property set when the token was first created.

Note

在使用同一用户的编程访问令牌进行身份验证的会话中，您无法轮换编程访问令牌。

See also:: ALTER USER … ADD PROGRAMMATIC ACCESS TOKEN (PAT) , ALTER USER … MODIFY PROGRAMMATIC ACCESS TOKEN (PAT) , ALTER USER … REMOVE PROGRAMMATIC ACCESS TOKEN (PAT) , SHOW USER PROGRAMMATIC ACCESS TOKENS

语法

ALTER USER [ IF EXISTS ] [ <username> ] ROTATE { PROGRAMMATIC ACCESS TOKEN | PAT } <token_name>
  [ EXPIRE_ROTATED_TOKEN_AFTER_HOURS = <integer> ]

参数

username

与令牌关联的用户的名称。

如果省略此参数，则该命令将轮换当前登录的用户（当前会话中的活动用户）的令牌。

ROTATE { PROGRAMMATIC ACCESS TOKEN | PAT } token_name

轮换具有指定名称的编程访问令牌。

You can use the keyword PAT as a shorter way of specifying the keywords PROGRAMMATIC ACCESS TOKEN.

EXPIRE_ROTATED_TOKEN_AFTER_HOURS = integer

将现有令牌密钥的到期时间设置为在指定的小时数后过期。

You can set this to a value of 0 to expire the current token secret immediately.

You can set this to a value in the range of 0 to the number of hours remaining before the current secret expires.

Default: 24

访问控制要求

A role used to execute this operation must have the following privileges at a minimum:

权限	对象	备注
MODIFY PROGRAMMATIC AUTHENTICATION METHODS	用户	仅在为除您自己或服务用户之外的人类用户轮换编程访问令牌时需要。

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

输出

命令输出在以下列中提供有关轮换的编程访问令牌的信息：

Column Description

token_name Name of the rotated token.

Column	Description
`token_name`	Name of the rotated token.
`token_secret`	令牌本身。使用它对端点进行身份验证。 Note 令牌仅出现在 ALTER USER … ROTATE PROGRAMMATIC ACCESS TOKEN 命令的输出中。没有其他 SQL 命令或函数会打印出或返回令牌。 If you need to access this token programmatically, you can use Snowflake Scripting to execute this command and retrieve the token from the RESULTSET.
`rotated_token_name`	代表先前密钥的令牌的名称。您可以使用此令牌对象来确定先前的密钥的有效时间。如果需要，您也可以让该令牌过期。您无法对此令牌进行任何其他类型的更改。请注意，此令牌对象计入每位用户允许的最大令牌数。

token_secret

令牌本身。使用它对端点进行身份验证。

Note

令牌仅出现在 ALTER USER … ROTATE PROGRAMMATIC ACCESS TOKEN 命令的输出中。没有其他 SQL 命令或函数会打印出或返回令牌。

If you need to access this token programmatically, you can use Snowflake Scripting to execute this command and retrieve the token from the RESULTSET.

rotated_token_name

代表先前密钥的令牌的名称。

您可以使用此令牌对象来确定先前的密钥的有效时间。如果需要，您也可以让该令牌过期。您无法对此令牌进行任何其他类型的更改。

请注意，此令牌对象计入每位用户允许的最大令牌数。

使用说明

When you rotate a programmatic access token:
- Snowflake does not verify that the network policy and authentication policy requirements are met.
- If the programmatic access token is restricted to a role, Snowflake does not verify that the user associated with the token has been granted that role.

示例

Rotate a programmatic access token associated with the user example_user:

ALTER USER IF EXISTS example_user ROTATE PROGRAMMATIC ACCESS TOKEN token_name;

Rotate a programmatic access token associated with the user example_user and expire the existing token secret immediately:

ALTER USER IF EXISTS example_user ROTATE PROGRAMMATIC ACCESS TOKEN token_name
  EXPIRE_ROTATED_TOKEN_AFTER_HOURS=0;