What & Why
Snowflake authentication policies now govern Programmatic Access Tokens (PATs), but snowcap's AuthenticationPolicy can't express any of it:
AuthenticationMethods enum (snowcap/resources/authentication_policy.py) only has ALL, PASSWORD, SAML, OAUTH, KEYPAIR — no PROGRAMMATIC_ACCESS_TOKEN.
- No
PAT_POLICY property (network_policy_evaluation, default_expiry_in_days, max_expiry_in_days).
So any policy that allows or constrains PAT usage has to be written as manual SQL. (Creating PATs themselves is inherently non-declarative — the secret is returned exactly once — so that's out of scope; this issue is only about the policy side.)
Example of what we'd like to declare:
CREATE AUTHENTICATION POLICY service_user_auth_policy
AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN', 'KEYPAIR')
PAT_POLICY = (
NETWORK_POLICY_EVALUATION = ENFORCED_REQUIRED,
DEFAULT_EXPIRY_IN_DAYS = 30,
MAX_EXPIRY_IN_DAYS = 365
);
Acceptance Criteria
Resources
What & Why
Snowflake authentication policies now govern Programmatic Access Tokens (PATs), but snowcap's
AuthenticationPolicycan't express any of it:AuthenticationMethodsenum (snowcap/resources/authentication_policy.py) only hasALL, PASSWORD, SAML, OAUTH, KEYPAIR— noPROGRAMMATIC_ACCESS_TOKEN.PAT_POLICYproperty (network_policy_evaluation,default_expiry_in_days,max_expiry_in_days).So any policy that allows or constrains PAT usage has to be written as manual SQL. (Creating PATs themselves is inherently non-declarative — the secret is returned exactly once — so that's out of scope; this issue is only about the policy side.)
Example of what we'd like to declare:
Acceptance Criteria
PROGRAMMATIC_ACCESS_TOKENadded toAuthenticationMethodspat_policyproperty supported (network_policy_evaluation,default_expiry_in_days,max_expiry_in_days)Resources
snowcap/resources/authentication_policy.pylines 11–16 (enum), no PAT_POLICY prop