Skip to main content
Infisical’s Snowflake dynamic secrets allow you to generate Snowflake user credentials on demand.

Snowflake Prerequisites

1

Open user settings

Select the Governance & Security tab and click on Users & roles.Snowflake User
Dashboard
2

Create a new User

In the top right, click Create userSnowflake User
Dashboard
3

Configure user details

Create a Snowflake user with the USERADMIN role for InfisicalSnowflake Create Service
User
Infisical requires a Snowflake user in your account with the USERADMIN role. This user will act as a service account for Infisical and facilitate the creation of new users as needed.
4

Create a network policy

Programmatic Access Tokens require an attached network policy that defines the IPs allowed to authenticate as this user. Select the Projects tab and click on Workspaces to open the query editor, then paste the following snippet.Go into workspace
CREATE NETWORK POLICY PREVIOUSLY_CREATED_USER
    ALLOWED_IP_LIST = ('0.0.0.0/0')
    COMMENT = 'Allow access from any IP';

ALTER USER INFISICAL set NETWORK_POLICY = 'PREVIOUSLY_CREATED_USER';
Be careful with the IPs you allow in your network policy. Using 0.0.0.0/0 allows access from any IP address, which can be dangerous in production. Prefer restricting the list to only the IP ranges that should be allowed to authenticate (for example, your corporate NAT(s) and/or Infisical’s outbound IPs if you have them).
5

Generate a Programmatic Access Token

Select the Governance & Security tab and click on Users & roles. Then select the user you created in the previous step.Select UserOpen the Programmatic access tokens tab and click Generate new token. Give the token a descriptive name and configure its expiration. Set the role restriction to USERADMIN.Generate Programmatic Access TokenAdd Programmatic Access Token name
6

Copy the Token

Copy the generated token. Snowflake only displays it once, so store it somewhere secure for the next step.Copy Programmatic Access Token
7

Save the Account and Organization identifiers

Click on the Account Menu in the bottom left and take note of your Account and Organization identifiersSnowflake Account And Organization
Identifiers

Set up Dynamic Secrets with Snowflake

1

Open the Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select the Snowflake option in the grid list

Dynamic Secret Modal
4

Provide the required parameters for the Snowflake dynamic secret

Secret Name
string
required
The name you want to reference this secret by
Default TTL
string
required
Default time-to-live for a generated secret (it is possible to modify this value when generating a secret)
Max TTL
string
required
Maximum time-to-live for a generated secret
Account Identifier
string
required
Snowflake account identifier
Organization Identifier
string
required
Snowflake organization identifier
User
string
required
Username of the Infisical service user
Programmatic Access Token
string
required
Programmatic Access Token (PAT) of the Infisical service user used to authenticate with Snowflake
Dynamic Secret Setup Modal
5

(Optional) Modify SQL Statements

Modify SQL Statements Modal
Username Template
string
default:"{{randomUsername}}"
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are:
  • {{randomUsername}}: Random username string.
  • {{unixTimestamp}}: Current Unix timestamp at the time of lease creation.
  • {{identity.name}}: Name of the identity that is generating the lease.
  • {{dynamicSecret.name}}: Name of the associated dynamic secret.
  • {{dynamicSecret.type}}: Type of the associated dynamic secret.
  • {{random N}}: Random string of N characters.
Allowed template functions are:
  • truncate: Truncates a string to a specified length.
  • replace: Replaces a substring with another value.
  • uppercase: Converts a string to uppercase.
  • lowercase: Converts a string to lowercase.
Examples:
{{ randomUsername }}                                            // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{ unixTimestamp }}                                             // 17490641580
{{ identity.name }}                                             // <identity-name>
{{ random 5 }}                                                  // x9K2m
{{ truncate identity.name 4 }}                                  // test
{{ replace identity.name '<identity-name>' 'new-value' }}       // new-value
Customize Statement
string
If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs.
6

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.
7

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.Dynamic SecretDynamic SecretWhen generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.Provision Lease
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in step 4.
Once you click the Submit button, a new secret lease will be generated and the credentials for it will be shown to you.Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time. Provision Lease

Renew Leases

To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below. Provision Lease
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret.