Snowflake Postgres 的 Snowflake 令牌身份验证¶

Snowflake 允许用户生成短期访问令牌，用于登录 Snowflake Postgres 实例。在实例层级，这被称为 Snowflake 授权，通过以下三个步骤完成：

为 Snowflake Postgres 实例启用 Snowflake 授权。
在 Snowflake Postgres 实例上，创建 Postgres 用户与 Snowflake 用户之间的映射。
映射的 Snowflake 用户随后会生成短期访问令牌，用于登录 Snowflake Postgres 实例。

Note

Snowflake Token Authentication for Snowflake Postgres is a separate feature from the Snowflake OAuth and Programmatic access tokens Snowflake authentication methods.

在 Snowflake Postgres 实例上启用和禁用 Snowflake 授权¶

To enable Snowflake authorization at instance creation time, enable the Snowflake auth option in the Snowflake Postgres New instance dialogue when Creating a new instance.

要为现有实例启用或禁用 Snowflake 授权，请执行以下操作：

In the navigation menu, select Postgres.
选择您的实例。
In the Manage menu at the top right, select the Enable Snowflake auth or Disable Snowflake auth option from the instance’s Manage dropdown menu on its details page in the dashboard.
Select Enable or Disable on the presented confirmation dialogue.

实例的 Snowflake 授权启用和禁用是通过其 AUTHENTICATION_AUTHORITY 属性完成的。

要在创建实例时启用 Snowflake 授权，请执行以下操作：

CREATE POSTGRES INSTANCE {instance_name}
 SET AUTHENTICATION_AUTHORITY = POSTGRES_OR_SNOWFLAKE
 <other_options>;

要为现有实例启用 Snowflake 授权，请执行以下操作：

ALTER POSTGRES INSTANCE {instance_name}
 SET AUTHENTICATION_AUTHORITY = POSTGRES_OR_SNOWFLAKE
 <other_options>;

要为现有实例禁用 Snowflake 授权，请执行以下操作：

ALTER POSTGRES INSTANCE {instance_name}
 SET AUTHENTICATION_AUTHORITY = POSTGRES
 <other_options>;

Important

在实例上禁用 Snowflake 授权仅会阻止 Snowflake 用户创建新的短期访问令牌。持有有效令牌的用户在令牌过期前仍可建立新连接，且现有连接将保持。

After disabling Snowflake Authorization, Postgres users mapped to Snowflake users will not be able to use standard Postgres authentication until their mappings have been removed as described in 在 Postgres 用户和 Snowflake 用户之间创建映射 below.

在 Postgres 用户和 Snowflake 用户之间创建映射¶

To create a mapping between a Postgres user and a Snowflake user log into your Postgres instance with the snowflake_admin user and run:

ALTER USER {postgres_user} SET snowflake_user = '{snowflake_user}';

The supplied {postgres_user} and {snowflake_user} names in the above statement will read as case-insensitive. If case-sensitivity is required place the names in double-quotes. For example, to map a Postgres user named Casey to a Snowflake user of the same name:

ALTER USER "Casey" SET snowflake_user = '"Casey"';

To remove a mapping between a Postgres user and a Snowflake user log into your Postgres instance with the snowflake_admin user and run:

ALTER USER {postgres_user} RESET snowflake_user;

To view which existing mappings between Postgres users and Snowflake users log into your Postgres instance with the snowflake_admin user and query the SNOWFLAKE_AUTH.IDENTITY_MAPPINGPostgres 视图 view.

Note

已建立 Snowflake 用户映射的 Postgres 用户只能使用生成的短期访问令牌登录。他们无法使用 Postgres 密码连接，且无法更改其 Postgres 密码。要为给定的 Postgres 用户重新启用标准密码登录功能，必须移除其到 Snowflake 用户的映射。

为映射的 Snowflake 用户创建短期访问令牌¶

Snowflake Postgres instance owners and Snowflake users with the USAGE privilege granted on a given instance can create short-lived access tokens for themselves on a per-instance basis for instances that have Snowflake authorization enabled per the instructions above in 在 Snowflake Postgres 实例上启用和禁用 Snowflake 授权.

In the navigation menu, select Postgres.
选择您的实例。
In the Manage menu at the top right, select Regenerate token.
In the presented Regenerate token dialogue enter the name of a Postgres user that has been mapped to your Snowflake user and select Acknowledge & continue.
Copy the presented short-lived access token or Postgres URI to use for establishing new connections to the Snowflake Postgres instance within the next 15 minutes.

SNOWFLAKE_AUTH.IDENTITY_MAPPINGPostgres 视图¶

此 Snowflake Postgres 视图可用于查询实例上 Postgres 用户与 Snowflake 用户之间的所有映射的列表。

Note

此视图仅可在 Snowflake Postgres 实例内部查询，无法直接从 Snowflake 查询。

列

列名称	数据类型	描述
postgres_role	name	映射的 Postgres 用户的名称。
snowflake_identity	text	The snowflake user identity in USER:# form, where # is the mapped Snowflake user’s user_id value seen in the USERS view view.