Hiring!
All posts

Unpacking Snowflake's New User Type Property

Date
  • Jeff Skoldberg
    Principal Consultant at Green Mountain Data Solutions

What is the User Type Property?

When creating or altering a user in Snowflake, there are dozens of properties and parameters that can be set, as explained in Snowflake’s docs. One Object Property that can be set for users is the type property, which can be set to person, service, legacy_service or null.

This property was recently introduced by Snowflake in Q3 2024 to provide a means of tracking the purpose of each user. I believe the new property is also subtle way for Snowflake to encourage customers to use key-pair authentication for service accounts, as we will discuss below.

Defining Each Type

  • person is obviously meant for human users. These users typically log in to Snowflake via SSO (SAML) or simple User / Password authentication. Snowflake's MFA is always recommended for users of type person.
  • service type is meant for service accounts. This type is unique in that it cannot have user / password authentication or MFA. It must use Snowflake's key-pair authentication; therefore common commands and properties related to MFA and Passwords are not allowed. Additionally, users of type service cannot have First, Middle, and Last Name.
Snowflake user type property limitations
  • legacy_service is a service account that can authenticate using a Password or SAML.

What are the Advantages?

Account Hardening

By differentiating between service and legacy_service, we are keeping account security top of mind. Key-pair authentication is widely accepted as more secure than password authentication; flagging each account that is using the less secure approach is good housekeeping, and perhaps a to-do list for future cleanup.

Analyzing Query History

Another benefit of maintaining the Type property for all users is that you can leverage this information for analysis. For example, imagine you want to see query counts against a table split by service type using the Snowflake query history:

select

    users.type = 'PERSON' as is_person,

    count(*)

from snowflake.account_usage.query_history

left join snowflake.account_usage.users

    on query_history.user_name=users.name

where true

    and query_history.query_text ilike '%analytics.public.orders%'

    and start_time > current_date - 30

group by 1

Example Code: Setting the Type Property

Setting the User Type when creating a New User

Setting the type property when creating a user is easy:

create user if not exists my_service_user 

    type = service 

    rsa_public_key = <string>;

Updating the User Type for an Existing User

Imagine we want to set type=service for an existing service account that currently uses Password Auth. When updating an existing existing user, you could do the bare minimum:

alter user my_service_user set

    type = service

    rsa_public_key = <string>

;

In this case we did not unset the password or other incompatible properties; the incompatible properties will be stored but disabled. Setting the user type to legacy_service , person, or null would re-enable those properties.

For good housekeeping, I would suggest the following:

alter user my_service_user unset password;

alter user my_service_user unset first_name;

alter user my_service_user unset middle_name;

alter user my_service_user unset last_name;

alter user my_service_user set disable_mfa = true;

Limitations

As of now (September 2024), the type property is not displayed in Snowsight UI and can only be set with code. Also, the show users command does not display a column for user type, but hopefully it will soon.

The only way to assess a user’s type is with the describe user <username> command, or by querying the snowflake.account_usage.users table.

Conclusion and Recommendations

The new type property in Snowflake is a great way to track user types in your Snowflake account and can act as a means of account hardening in that it forces you to acknowledge where you have service accounts with legacy authentication.

I recommend reviewing every service account in your Snowflake account; set each one as type = service or type = legacy_service. For the legacy_service accounts, create an action plan on how you will update them to type service in the near future.

Jeff Skoldberg
Principal Consultant at Green Mountain Data Solutions
Jeff Skoldberg is a Data and Analytics Consultant with 15+ years experience in automating insights and using data to control business processes. From a technology standpoint, he specializes in Snowflake + dbt + Tableau. From a business topic standpoint, he has experience in Public Utility, Clinical Trials, Publishing, CPG, and Manufacturing. Jeff adds unique value for his supply chain clients, as he is well versed in all topics related to planning, forecasting, inventory and supply chain KPIs. Reach out any time! [email protected]

Get up and running with SELECT in 15 minutes.

Snowflake optimization & cost management platform

Gain visibility into Snowflake usage, optimize performance and automate savings with the click of a button.

Get access now →Book a Demo
SELECT web application screenshot

Want to hear about our latest Snowflake learnings? 
Subscribe to get notified.