docs/documentation/platform/dynamic-secrets/snowflake.mdx
import DynamicSecretUsernameTemplateParamField from "/snippets/documentation/platform/dynamic-secrets/dynamic-secret-username-template-field.mdx";
Infisical's Snowflake dynamic secrets allow you to generate Snowflake user credentials on demand.
<Note>
Infisical requires a Snowflake user in your account with the USERADMIN role.
This user will act as a service account for Infisical and facilitate the
creation of new users as needed.
</Note>
<Step title="Create a network policy">
Programmatic Access Tokens require an attached network policy that defines the IPs allowed to authenticate as this user. Select the **Projects** tab and click on **Workspaces** to open the query editor, then paste the following snippet.

```SQL
CREATE NETWORK POLICY PREVIOUSLY_CREATED_USER
ALLOWED_IP_LIST = ('0.0.0.0/0')
COMMENT = 'Allow access from any IP';
ALTER USER INFISICAL set NETWORK_POLICY = 'PREVIOUSLY_CREATED_USER';
```
<Warning>
Be careful with the IPs you allow in your network policy. Using `0.0.0.0/0` allows access from **any IP address**, which can be dangerous in production. Prefer restricting the list to only the IP ranges that should be allowed to authenticate (for example, your corporate NAT(s) and/or Infisical's outbound IPs if you have them).
</Warning>
</Step>

Open the **Programmatic access tokens** tab and click **Generate new token**. Give the token a descriptive name and configure its expiration. Set the role restriction to **USERADMIN**.


<Step title="Copy the Token">
Copy the generated token. Snowflake only displays it once, so store it somewhere secure for the next step.

</Step>
<ParamField path="Default TTL" type="string" required>
Default time-to-live for a generated secret (it is possible to modify this value when generating a secret)
</ParamField>
<ParamField path="Max TTL" type="string" required>
Maximum time-to-live for a generated secret
</ParamField>
<ParamField path="Account Identifier" type="string" required>
Snowflake account identifier
</ParamField>
<ParamField path="Organization Identifier" type="string" required>
Snowflake organization identifier
</ParamField>
<ParamField path="User" type="string" required>
Username of the Infisical service user
</ParamField>
<ParamField path="Programmatic Access Token" type="string" required>
Programmatic Access Token (PAT) of the Infisical service user used to authenticate with Snowflake
</ParamField>

</Step>
<Step title="(Optional) Modify SQL Statements">

<DynamicSecretUsernameTemplateParamField />
<ParamField path="Customize Statement" type="string">
If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL
statement to your needs.
<Step title="Click 'Submit'">
After submitting the form, you will see a dynamic secret created in the dashboard.
</Step>
<Step title="Generate dynamic secrets">
Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret
lease list section.


When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how
long the credentials are valid for.

<Tip>
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret in
step 4.
</Tip>
Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be
shown to you.

</Step>
Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the lease details and delete the lease ahead of its expiration time.
To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the Renew button as illustrated below.
<Warning> Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret. </Warning>