CREATE AUTHENTICATION POLICY¶

语法¶

CREATE [ OR REPLACE ] AUTHENTICATION POLICY [ IF NOT EXISTS ] <name>
  [ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ CLIENT_POLICY = ( <client_type> = ( MINIMUM_VERSION = '<version>' ) [ , ... ] ) ]
  [ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
  [ MFA_ENROLLMENT = { 'REQUIRED' | 'REQUIRED_PASSWORD_ONLY' } ]
  [ MFA_POLICY= ( <list_of_properties> ) ]
  [ PAT_POLICY = ( <list_of_properties> ) ]
  [ WORKLOAD_IDENTITY_POLICY = ( <list_of_properties> ) ]
  [ COMMENT = '<string_literal>' ]

变体语法¶

CREATE OR ALTER AUTHENTICATION POLICY <name>
  [ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ CLIENT_POLICY = ( <client_type> = ( MINIMUM_VERSION = '<version>' ) [ , ... ] ) ]
  [ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
  [ MFA_ENROLLMENT = { 'REQUIRED' | 'REQUIRED_PASSWORD_ONLY' | 'OPTIONAL' } ]
  [ MFA_POLICY= ( <list_of_properties> ) ]
  [ PAT_POLICY = ( <list_of_properties> ) ]
  [ WORKLOAD_IDENTITY_POLICY = ( <list_of_properties> ) ]
  [ COMMENT = '<string_literal>' ]

必填参数¶

name

为身份验证策略指定 标识符。

此外，标识符必须以字母字符开头，且不能包含空格或特殊字符，除非整个标识符字符串放在双引号内（例如，"My object"）。放在双引号内的标识符也区分大小写。

有关更多信息，请参阅 标识符要求。

可选参数¶

AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )

小心

通过身份验证方法进行限制可能会产生意想不到的后果，例如阻止驱动程序连接或第三方集成。

登录时允许使用的身份验证方法列表。该参数可接受以下一个或多个值：

ALL

允许所有身份验证方法。

SAML

允许 SAML2 安全集成。如果 SAML 存在，则会显示 SSO 登录选项。如果 SAML 不存在，则不会显示 SSO 登录选项。

PASSWORD

允许用户使用用户名和密码进行身份验证。

OAUTH

允许 External OAuth。

KEYPAIR

允许 密钥对身份验证。

PROGRAMMATIC_ACCESS_TOKEN

允许用户使用 编程访问令牌 进行身份验证。

WORKLOAD_IDENTITY

Allows users to authenticate through workload identity federation.

默认：ALL。

CLIENT_TYPES = ( 'string_literal' [ , 'string_literal' , ... ] )

可使用 Snowflake 进行身份验证的客户端列表。

如果客户端尝试连接，但客户端不是下面列出的有效 CLIENT_TYPES 值之一，则登录尝试失败。

如果您将 MFA_ENROLLMENT 设置为 REQUIRED，则必须在 CLIENT_TYPES 列表中包含 SNOWFLAKE_UI，才能允许用户注册 MFA。

如果要从 CLIENT_TYPES 列表中排除 SNOWFLAKE_UI，则必须将 MFA_ENROLLMENT 设置为 OPTIONAL。

The CLIENT_TYPES property of an authentication policy is a best-effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary. Notably, it does not restrict access to the Snowflake REST APIs.

该参数可接受以下一个或多个值：

ALL

允许所有客户端进行身份验证。

SNOWFLAKE_UI

Snowsight 或 Classic Console，Snowflake Web 界面。

小心

If SNOWFLAKE_UI is not included in the CLIENT_TYPES list while MFA_ENROLLMENT is set to REQUIRED, or MFA_ENROLLMENT is unspecified, MFA enrollment doesn't work。

DRIVERS

Drivers allow access to Snowflake from applications written in supported languages. For example, the Go, JDBC, .NET drivers, and Snowpipe Streaming.

小心

如果 DRIVERS 未列入 CLIENT_TYPES 列表，自动引入可能会停止工作。

SNOWFLAKE_CLI

用于连接到 Snowflake 并管理以开发人员为中心的工作负载和 SQL 操作的 命令行客户端。

SNOWSQL

命令行客户端，用于连接 Snowflake。

默认：ALL。

CLIENT_POLICY = client_type = ( MINIMUM_VERSION = 'version' )

Specifies a policy within the authentication policy that sets the minimum version allowed for each specified client type.

If CLIENT_TYPES is empty, contains ALL, or contains DRIVERS, the CLIENT_POLICY parameter accepts one or more of the following driver clients (and a specific version string). For any driver client that is not specified, the policy implicitly allows any version of that client.

If CLIENT_TYPES contains another value, such as SNOWFLAKE_CLI, and does not also contain DRIVERS, specifying any of the following client types results in an error. You can't create (or alter) an authentication policy such that the CLIENT_TYPES and CLIENT_POLICY parameters aren't compatible.

client_type

One or more valid client type values. This is a different set of values from those that the CLIENT_TYPES parameter accepts. Do not use single quotes for these values.

• JDBC_DRIVER (Snowflake JDBC Driver)

• ODBC_DRIVER (Snowflake ODBC Driver)

• PYTHON_DRIVER (Snowflake Python Driver)

• JAVASCRIPT_DRIVER (Snowflake Javascript Driver)

• C_DRIVER (Libsnowflakeclient C Driver)

• GO_DRIVER (Snowflake Go Driver)

• PHP_DRIVER (Snowflake PHP PDO Driver)

• DOTNET_DRIVER (Snowflake .NET Driver)

• SQL_API (SQL API)

• SNOWPIPE_STREAMING_CLIENT_SDK (Snowpipe Streaming Client SDK)

• PY_CORE (Snowflake Python Core Driver)

• SPROC_PYTHON (Snowflake Python Stored Procedure)

• PYTHON_SNOWPARK (Snowflake Python Snowpark Driver)

• SQL_ALCHEMY (Snowflake SQLAlchemy)

• SNOWPARK (Snowpark)

• SNOWFLAKE_CLIENT (Snowflake Client SDK)

'version'

The minimum accepted version for each specified client type: a sequence of three digits delimited by periods and enclosed by single quotation marks. For example: '1.0.0' or '3.14.1'. Authentication attempts with lower client versions are blocked when this policy is in effect for an account or a user.

The CLIENT_POLICY property of an authentication policy is a best-effort method to block user logins based on specific client versions. It should not be used as the sole control to establish a security boundary.

SECURITY_INTEGRATIONS = ( 'string_literal' [ , 'string_literal' , ... ] )

身份验证策略关联的安全集成列表。当 SAML 或 OAUTH 不在 AUTHENTICATION_METHODS 列表中时，该参数不起作用。

SECURITY_INTEGRATIONS 列表中的所有值必须与 AUTHENTICATION_METHODS 列表中的值兼容。例如，如果 SECURITY_INTEGRATIONS 包含 SAML 安全集成，而 AUTHENTICATION_METHODS 包含 OAUTH，则无法创建身份验证策略。

ALL

允许所有安全集成。

默认：ALL。

MFA_ENROLLMENT = { 'REQUIRED' | 'REQUIRED_PASSWORD_ONLY' | 'OPTIONAL' }

Determines whether a user must enroll in multi-factor authentication. If this value is used, then the CLIENT_TYPES parameter must include SNOWFLAKE_UI, because Snowsight is the only place users can enroll in multi-factor authentication (MFA).

It's possible for the value of the MFA_ENROLLMENT parameter to be REQUIRED_SNOWFLAKE_UI_PASSWORD_ONLY. This value is part of Snowflake's gradual deprecation of single-factor passwords, and cannot be set directly. If you run a DESCRIBE AUTHENTICATION POLICY command and MFA_ENROLLMENT = 'REQUIRED_SNOWFLAKE_UI_PASSWORD_ONLY, then password users must enroll in MFA if they are using Snowsight.

REQUIRED

Human users who are using password or single-sign on (SSO) authentication must enroll in MFA.

REQUIRED_PASSWORD_ONLY

All human users who are using password authentication must enroll in MFA, regardless of the client they are using. Users using SSO authentication are not required to enroll.

OPTIONAL

Retained for backwards compatibility only.

Default: OPTIONAL. For backwards compatibility, you can create an authentication policy without specifying an MFA_ENROLLMENT value, but the actual value that is enforced won't be OPTIONAL because Snowflake is moving toward requiring MFA for all human users. To determine which value is being enforced for an existing authentication policy, run the DESCRIBE AUTHENTICATION POLICY command.

MFA_POLICY= ( list_of_properties )

Specifies the policies that affect how multi-factor authentication (MFA) is enforced. Set this to a space-delimited list of one or more of the following properties and values:

ALLOWED_METHODS = ( { 'ALL' | 'PASSKEY' | 'TOTP' | 'OTP' | 'DUO' } [ , { 'PASSKEY' | 'TOTP' | 'OTP' | 'DUO' } ... ] )

Specifies the multi-factor authentication (MFA) methods that users can use as a second factor of authentication. You can specify more than one method as a comma-delimited list.

ALL

用户可以使用密钥、身份验证器应用程序或 Duo 作为第二个身份验证因素。

PASSKEY

用户可以使用密钥作为第二个身份验证因素。

TOTP

用户可以使用身份验证器应用程序作为第二个身份验证因素。

OTP

User can use a one-time passcode as their second factor of authentication. For more information, see 设置管理员紧急访问权限.

DUO

用户可以使用 Duo 作为第二个身份验证因素。

默认：ALL。

ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION = { 'ALL' | 'NONE' }

Specifies whether multi-factor authentication (MFA) is required when users authenticate with single sign-on (SSO). To require MFA, specify ALL.

Default: NONE

PAT_POLICY = ( list_of_properties )

指定 编程访问令牌 的策略。将此设置为以下一个或多个属性与值组成的、以空格分隔的列表：

DEFAULT_EXPIRY_IN_DAYS = number_of_days

指定编程访问令牌的默认到期时间（以天为单位）。您可以指定介于 1 到最大到期时间（可通过设置 MAX_EXPIRY_IN_DAYS 指定）之间的值。

默认到期时间为 15 天。

有关更多信息，请参阅 设置默认到期时间。

MAX_EXPIRY_IN_DAYS = number_of_days

指定可为编程访问令牌设置的最长期限（以天为单位）。您可以指定介于默认到期时间（您可以通过设置 DEFAULT_EXPIRY_IN_DAYS 指定）到 365 之间的值。

默认的最长到期时间为 365 天。

备注

如果现有编程访问令牌的到期时间超过了新的最长到期时间，则尝试使用这些令牌进行身份验证将失败。

例如，假设您生成了一个名为 my_token 且到期时间为 7 天的编程访问令牌。如果您稍后将所有令牌的最长到期时间更改为 2 天，则使用 my_token 身份验证将失败，因为令牌的到期时间超过了新的最长到期时间。

有关更多信息，请参阅 设置最长到期时间。

NETWORK_POLICY_EVALUATION = { ENFORCED_REQUIRED | ENFORCED_NOT_REQUIRED | NOT_ENFORCED }

指定如何处理编程访问令牌的网络策略要求。

默认情况下，用户必须遵守具有一个或多个 网络规则 的 网络策略 才能生成或使用编程访问令牌：

• 服务用户（使用 TYPE=SERVICE）必须遵守网络策略才能生成和使用编程访问令牌。

• 人类用户（使用 TYPE=PERSON）必须遵守网络策略才能使用编程访问令牌。

要替换此行为，请将此属性设置为以下值之一：

:code:`ENFORCED_REQUIRED`（默认行为）

用户必须遵守网络策略才能生成和使用编程访问令牌。

如果用户受网络策略的约束，则网络策略将在身份验证期间强制执行。

ENFORCED_NOT_REQUIRED

用户 无需 受网络策略的约束即可生成和使用编程访问令牌。

如果用户受网络策略的约束，则网络策略将在身份验证期间强制执行。

NOT_ENFORCED

用户 无需 受网络策略的约束即可生成和使用编程访问令牌。

如果用户受网络策略的约束，则在身份验证期间 不会 强制执行网络策略。

例如：

PAT_POLICY=(
  DEFAULT_EXPIRY_IN_DAYS=30
  MAX_EXPIRY_IN_DAYS=365
  NETWORK_POLICY_EVALUATION = ENFORCED_NOT_REQUIRED
);

Copy

WORKLOAD_IDENTITY_POLICY = ( list_of_properties )

Specifies the policies for workload identity federation. Set this to a space-delimited list that contains one or more of the following properties and values:

ALLOWED_PROVIDERS = ( { ALL | AWS | AZURE | GCP | OIDC } [ , { AWS | AZURE | GCP | OIDC } ... ] )

Specifies the workload identity providers allowed by the authentication policy during workload identity authentication. If this parameter is omitted, all workload identity providers are allowed.

ALL

Users can authenticate with any supported and configured workload identity provider.

AWS

Users can authenticate with an AWS IAM role or user.

AZURE

Users can authenticate with an Azure Entra ID access token.

GCP

Users can authenticate with a Google-signed ID token.

OIDC

Users can authenticate with an ID token from a configured OIDC provider.

ALLOWED_AWS_ACCOUNTS = ( 'string_literal' [ , 'string_literal' , ... ] )

Specifies the list of AWS account IDs allowed by the authentication policy during workload identity authentication of type AWS.

By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type AWS, then the ARN can reference any AWS account. If this parameter is set, then only ARNs from the specified AWS account IDs are allowed to authenticate.

Each element must be a 12-digit string representing the AWS account ID.

For more information, see View AWS account identifiers (https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html).

ALLOWED_AZURE_ISSUERS = ( 'string_literal' [ , 'string_literal' , ... ] )

Specifies the list of Azure Entra ID issuers allowed by the authentication policy during workload identity authentication of type AZURE.

By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type AZURE, then the issuer can be any Entra ID tenant. If this parameter is set, then only Azure tokens from the specified issuers are allowed to authenticate.

Each element must be a valid Authority URL with following format:

• https://login.microsoftonline.com/tenantId/v2.0

ALLOWED_OIDC_ISSUERS = ( 'string_literal' [ , 'string_literal' , ... ] )

Specifies the list of OIDC issuers allowed by the authentication policy during workload identity authentication of type OIDC.

By default, when a Snowflake service user has a WORKLOAD_IDENTITY of type OIDC, then the issuer can be any valid OIDC issuer. If this parameter is set, then only tokens from the specified OIDC issuers are allowed to authenticate.

Each element must be a valid HTTPS URL that contains scheme, host, and optionally, port number and path components but no query or fragment components. The URL must not contain spaces, and it must not exceed 2048 characters in length.

例如：

WORKLOAD_IDENTITY_POLICY=(
  ALLOWED_PROVIDERS = (AWS, AZURE, GCP, OIDC)
  ALLOWED_AWS_ACCOUNTS = ('123456789012', '210987654321')
  ALLOWED_AZURE_ISSUERS = ('https://login.microsoftonline.com/8c7832f5-de56-4d9f-ba94-3b2c361abe6b/v2.0',
    'https://login.microsoftonline.com/9ebd1ec9-9a78-4429-8f53-5cf870a812d1/v2.0')
  ALLOWED_OIDC_ISSUERS = ('https://my.custom.oidc.issuer/', 'https://another.custom/oidc/issuer')
);

Copy

COMMENT = 'string_literal'

指定策略描述。

访问控制要求¶

用于执行此操作的 角色 必须至少具有以下 权限：

The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema. Note that a role granted any privilege on a schema allows that role to resolve the schema. For example, a role granted CREATE privilege on a schema can create objects on that schema without also having USAGE granted on that schema.

有关创建具有指定权限集的自定义角色的说明，请参阅 创建自定义角色。

有关对 安全对象 执行 SQL 操作的相应角色和权限授予的一般信息，请参阅 访问控制概述。

使用说明¶

• 创建身份验证策略后，您必须使用 ALTER ACCOUNT 或 ALTER USER 命令为账户或用户设置它，然后 Snowflake 才能执行该策略。

• 如果您要更新现有身份验证策略，并且需要查看该策略的定义，请运行 DESCRIBE AUTHENTICATION POLICY 命令或 GET_DDL 函数。

• The OR REPLACE and IF NOT EXISTS clauses are mutually exclusive. They can't both be used in the same statement.

• CREATE OR REPLACE <object> 语句是原子的。也就是说，当对象被替换时，旧对象将被删除，新对象将在单个事务中创建。

Examples¶

创建名为 restrict_client_types_policy 的身份验证策略，该策略仅允许通过 Snowsight 或 Classic Console 访问：

CREATE AUTHENTICATION POLICY restrict_client_types_policy
  CLIENT_TYPES = ('SNOWFLAKE_UI')
  COMMENT = 'Auth policy that only allows access through the web interface';

设置多重身份验证并更新客户端列表：

CREATE OR ALTER AUTHENTICATION POLICY restrict_client_types_policy
  MFA_ENROLLMENT = REQUIRED
  CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWFLAKE_CLI');

Create an authentication policy that includes a client policy. The client policy sets the minimum version for two specific driver clients:

CREATE AUTHENTICATION POLICY two_driver_policy
  CLIENT_TYPES = ('DRIVERS')
  CLIENT_POLICY = (
    GO_DRIVER = (MINIMUM_VERSION = '1.14.1'),
    JDBC_DRIVER = (MINIMUM_VERSION = '3.25.0')
    )
  COMMENT = 'JDBC and Go Driver minimum versions';

The following attempt to create an authentication policy fails because the CLIENT_POLICY parameter specifies drivers that are not permitted by the CLIENT_TYPES parameter:

CREATE AUTHENTICATION POLICY go_driver_policy_test
  CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWFLAKE_CLI')
  CLIENT_POLICY = (GO_DRIVER = (MINIMUM_VERSION = '1.14.1'));

004800 (22023): Authentication policy can not contain CLIENT_POLICY of 'GO_DRIVER' without including 'DRIVERS' in CLIENT_TYPES.

有关更多示例，请参阅 身份验证策略。