Snowflake Sessions & Session Policies

128 viewsConnecting to Snowflakesnowflakesecurity

Snowflake Sessions & Session Policies

Alejandro Penzini Changed status to publish December 20, 2023

Understanding and Managing Snowflake Sessions and Session Policies

Key Concepts:

Sessions: Independent of IdP sessions, lasting indefinitely with activity or expiring after an idle session timeout (default 4 hours).
Session Policies: Customizable idle timeout periods (5-minute minimum) for accounts or users to address compliance requirements. User-level policies take precedence.
Key Properties:
SESSION_IDLE_TIMEOUT_MINS: For programmatic and Snowflake clients.
SESSION_UI_IDLE_TIMEOUT_MINS: For the Classic Console and Snowsight.
Client Considerations:

Avoid using CLIENT_SESSION_KEEP_ALIVE to prevent excessive open sessions and potential performance degradation.
Use CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY to control token update frequency.
Interface Behavior:

Web interface sessions refresh with continued object usage.
New or opened worksheets reuse existing sessions with a reset idle timeout.
Tracking Session Policy Usage:

SESSION_POLICIES view for account-level policies.
POLICY_REFERENCES table function for user-level policies.

Future grants on session policies are unsupported.
Workaround: Grant APPLY SESSION POLICY privilege to a custom role for applying policies.
Implementation Steps (Centralized Management Approach):

Create a custom role (policy_admin) with ownership of the session policy and privileges to apply it to accounts or users.
Grant necessary permissions to policy_admin for account-level policy setting.
Follow Snowflake documentation for specific configuration steps.

Alejandro Penzini Changed status to publish December 20, 2023