Skip to content

feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN method and PAT_POLICY #33

Description

@GClunies

What & Why

Snowflake authentication policies now govern Programmatic Access Tokens (PATs), but snowcap's AuthenticationPolicy can't express any of it:

  • AuthenticationMethods enum (snowcap/resources/authentication_policy.py) only has ALL, PASSWORD, SAML, OAUTH, KEYPAIR — no PROGRAMMATIC_ACCESS_TOKEN.
  • No PAT_POLICY property (network_policy_evaluation, default_expiry_in_days, max_expiry_in_days).

So any policy that allows or constrains PAT usage has to be written as manual SQL. (Creating PATs themselves is inherently non-declarative — the secret is returned exactly once — so that's out of scope; this issue is only about the policy side.)

Example of what we'd like to declare:

CREATE AUTHENTICATION POLICY service_user_auth_policy
  AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN', 'KEYPAIR')
  PAT_POLICY = (
    NETWORK_POLICY_EVALUATION = ENFORCED_REQUIRED,
    DEFAULT_EXPIRY_IN_DAYS    = 30,
    MAX_EXPIRY_IN_DAYS        = 365
  );

Acceptance Criteria

  • PROGRAMMATIC_ACCESS_TOKEN added to AuthenticationMethods
  • pat_policy property supported (network_policy_evaluation, default_expiry_in_days, max_expiry_in_days)
  • Fetch/plan round-trips policies containing these fields without spurious drift
  • Docs page updated

Resources

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions