snowflake-policy-guardrails
Implement Snowflake governance guardrails with network rules, session policies, authentication policies, and automated compliance checks. Use when enforcing security policies, implementing data governance, or configuring automated compliance for Snowflake. Trigger with phrases like "snowflake policy", "snowflake guardrails", "snowflake governance", "snowflake compliance", "snowflake enforce".
Best use case
snowflake-policy-guardrails is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement Snowflake governance guardrails with network rules, session policies, authentication policies, and automated compliance checks. Use when enforcing security policies, implementing data governance, or configuring automated compliance for Snowflake. Trigger with phrases like "snowflake policy", "snowflake guardrails", "snowflake governance", "snowflake compliance", "snowflake enforce".
Teams using snowflake-policy-guardrails should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/snowflake-policy-guardrails/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How snowflake-policy-guardrails Compares
| Feature / Agent | snowflake-policy-guardrails | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement Snowflake governance guardrails with network rules, session policies, authentication policies, and automated compliance checks. Use when enforcing security policies, implementing data governance, or configuring automated compliance for Snowflake. Trigger with phrases like "snowflake policy", "snowflake guardrails", "snowflake governance", "snowflake compliance", "snowflake enforce".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Snowflake Policy & Guardrails
## Overview
Automated policy enforcement and governance guardrails using Snowflake-native features: network rules, authentication policies, session policies, and object-level governance.
## Instructions
### Step 1: Network Rules and Policies
```sql
-- Network rules (more granular than legacy network policies)
CREATE OR REPLACE NETWORK RULE corp_vpn_rule
TYPE = IPV4
MODE = INGRESS
VALUE_LIST = ('203.0.113.0/24', '198.51.100.0/24');
CREATE OR REPLACE NETWORK RULE cloud_services_rule
TYPE = HOST_PORT
MODE = EGRESS
VALUE_LIST = ('api.company.com:443', 'events.company.com:443');
-- Create network policy using rules
CREATE OR REPLACE NETWORK POLICY prod_network_policy
ALLOWED_NETWORK_RULE_LIST = (corp_vpn_rule)
BLOCKED_NETWORK_RULE_LIST = ();
-- Apply at account level
ALTER ACCOUNT SET NETWORK_POLICY = prod_network_policy;
-- Or per-user (service accounts can have different rules)
ALTER USER svc_etl SET NETWORK_POLICY = prod_network_policy;
```
### Step 2: Authentication Policies
```sql
-- Require MFA for interactive users
CREATE OR REPLACE AUTHENTICATION POLICY interactive_auth
MFA_AUTHENTICATION_METHODS = ('TOTP')
CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL')
SECURITY_INTEGRATIONS = ('saml_sso');
-- Service accounts: key pair only, no password
CREATE OR REPLACE AUTHENTICATION POLICY service_auth
AUTHENTICATION_METHODS = ('KEYPAIR')
CLIENT_TYPES = ('SNOWFLAKE_DRIVER')
MFA_AUTHENTICATION_METHODS = ();
-- Apply policies
ALTER USER analyst_user SET AUTHENTICATION POLICY = interactive_auth;
ALTER USER svc_etl SET AUTHENTICATION POLICY = service_auth;
```
### Step 3: Session Policies
```sql
-- Enforce session timeout and idle limits
CREATE OR REPLACE SESSION POLICY prod_session_policy
SESSION_IDLE_TIMEOUT_MINS = 30
SESSION_UI_IDLE_TIMEOUT_MINS = 15;
-- Apply to account
ALTER ACCOUNT SET SESSION POLICY = prod_session_policy;
```
### Step 4: Statement-Level Guardrails
```sql
-- Prevent runaway queries
ALTER WAREHOUSE PROD_WH SET
STATEMENT_TIMEOUT_IN_SECONDS = 3600, -- 1 hour max
STATEMENT_QUEUED_TIMEOUT_IN_SECONDS = 600; -- 10 min max queue
-- Prevent accidental full table operations
-- Use row access policies + stored procedures instead of raw access
-- Example: Safe delete procedure with audit
CREATE OR REPLACE PROCEDURE safe_delete(
table_name VARCHAR, where_clause VARCHAR, max_rows INTEGER DEFAULT 10000
)
RETURNS VARCHAR
LANGUAGE SQL
AS
$$
BEGIN
-- Count affected rows first
LET count_sql VARCHAR := 'SELECT COUNT(*) FROM ' || :table_name || ' WHERE ' || :where_clause;
LET affected_rows INTEGER;
EXECUTE IMMEDIATE :count_sql INTO :affected_rows;
IF (:affected_rows > :max_rows) THEN
RETURN 'BLOCKED: Would delete ' || :affected_rows || ' rows (max: ' || :max_rows || ')';
END IF;
-- Audit log
INSERT INTO audit.delete_log (table_name, where_clause, row_count, executed_by, executed_at)
VALUES (:table_name, :where_clause, :affected_rows, CURRENT_USER(), CURRENT_TIMESTAMP());
-- Execute delete
EXECUTE IMMEDIATE 'DELETE FROM ' || :table_name || ' WHERE ' || :where_clause;
RETURN 'Deleted ' || :affected_rows || ' rows from ' || :table_name;
END;
$$;
-- Usage: CALL safe_delete('orders', 'order_date < ''2024-01-01''', 50000);
```
### Step 5: Data Governance Tags and Policies
```sql
-- Create governance taxonomy
CREATE TAG IF NOT EXISTS data_domain ALLOWED_VALUES 'finance', 'marketing', 'engineering', 'hr';
CREATE TAG IF NOT EXISTS data_owner;
CREATE TAG IF NOT EXISTS retention_days;
-- Apply tags to databases/schemas
ALTER DATABASE PROD_DW SET TAG data_domain = 'finance';
ALTER SCHEMA PROD_DW.GOLD SET TAG data_owner = 'analytics-team@company.com';
ALTER TABLE PROD_DW.GOLD.REVENUE SET TAG retention_days = '2555'; -- 7 years
-- Automated compliance report
SELECT
tag_name, tag_value, object_database, object_schema, object_name, column_name
FROM TABLE(INFORMATION_SCHEMA.TAG_REFERENCES_ALL_COLUMNS(
'PROD_DW.GOLD.REVENUE', 'TABLE'
));
-- Find untagged tables (governance gap)
SELECT t.table_catalog, t.table_schema, t.table_name, t.row_count
FROM INFORMATION_SCHEMA.TABLES t
LEFT JOIN TABLE(INFORMATION_SCHEMA.TAG_REFERENCES(
t.table_catalog || '.' || t.table_schema || '.' || t.table_name, 'TABLE'
)) tr ON TRUE
WHERE tr.tag_name IS NULL
AND t.table_schema NOT IN ('INFORMATION_SCHEMA')
ORDER BY t.row_count DESC NULLS LAST;
```
### Step 6: CI/CD Policy Checks
```yaml
# .github/workflows/snowflake-governance.yml
name: Snowflake Governance Check
on:
pull_request:
paths: ['sql/**', 'migrations/**']
jobs:
policy-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for dangerous SQL patterns
run: |
# No DROP DATABASE/SCHEMA without IF EXISTS
if grep -rn "DROP DATABASE\|DROP SCHEMA" sql/ | grep -v "IF EXISTS"; then
echo "ERROR: DROP without IF EXISTS detected"
exit 1
fi
# No GRANT ... TO PUBLIC
if grep -rn "TO ROLE PUBLIC\|TO PUBLIC" sql/; then
echo "ERROR: Granting to PUBLIC role is not allowed"
exit 1
fi
# No hardcoded passwords
if grep -rn "PASSWORD = " sql/ | grep -v "PASSWORD = \$"; then
echo "ERROR: Hardcoded password detected"
exit 1
fi
# All tables must have DATA_RETENTION_TIME_IN_DAYS
for f in $(grep -rl "CREATE TABLE\|CREATE OR REPLACE TABLE" sql/); do
if ! grep -q "DATA_RETENTION_TIME_IN_DAYS" "$f"; then
echo "WARNING: $f missing explicit retention policy"
fi
done
echo "All governance checks passed"
- name: Validate SchemaChange naming
run: |
# Ensure migration files follow V{version}__{description}.sql
for f in migrations/V*.sql; do
if ! echo "$f" | grep -qE 'V[0-9]+\.[0-9]+\.[0-9]+__[a-z_]+\.sql'; then
echo "ERROR: Invalid migration filename: $f"
echo "Expected: V{major}.{minor}.{patch}__{description}.sql"
exit 1
fi
done
```
### Step 7: Automated Compliance Audit
```sql
-- Weekly compliance audit stored procedure
CREATE OR REPLACE PROCEDURE run_compliance_audit()
RETURNS TABLE (check_name VARCHAR, status VARCHAR, details VARCHAR)
LANGUAGE SQL
AS
$$
-- Check 1: No users with ACCOUNTADMIN default role
SELECT 'accountadmin_check' AS check_name,
CASE WHEN COUNT(*) = 0 THEN 'PASS' ELSE 'FAIL' END AS status,
COUNT(*) || ' users with ACCOUNTADMIN default' AS details
FROM SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE default_role = 'ACCOUNTADMIN' AND disabled = 'false'
UNION ALL
-- Check 2: Network policy active
SELECT 'network_policy_check',
CASE WHEN value != '' THEN 'PASS' ELSE 'FAIL' END,
'Account network policy: ' || COALESCE(value, 'NONE')
FROM TABLE(FLATTEN(INPUT => PARSE_JSON(
SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO()
)))
WHERE key = 'network_policy'
UNION ALL
-- Check 3: MFA adoption
SELECT 'mfa_check',
CASE WHEN COUNT_IF(has_mfa = 'true') * 100 / COUNT(*) >= 90 THEN 'PASS' ELSE 'WARN' END,
COUNT_IF(has_mfa = 'true') || '/' || COUNT(*) || ' users have MFA'
FROM SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE disabled = 'false';
$$;
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Network policy blocks legitimate user | IP not in allowlist | Add IP range to network rule |
| Auth policy prevents login | Wrong client type in policy | Adjust CLIENT_TYPES |
| Session timeout too aggressive | Short idle timeout | Increase SESSION_IDLE_TIMEOUT_MINS |
| CI check false positive | SQL pattern too broad | Refine regex pattern |
## Resources
- [Network Policies](https://docs.snowflake.com/en/user-guide/network-policies)
- [Authentication Policies](https://docs.snowflake.com/en/user-guide/authentication-policies)
- [Data Governance](https://docs.snowflake.com/en/guides-overview-govern)
- [Object Tagging](https://docs.snowflake.com/en/user-guide/object-tagging)
## Next Steps
For architecture blueprints, see `snowflake-architecture-variants`.Related Skills
windsurf-policy-guardrails
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
vercel-policy-guardrails
Implement lint rules, CI policy checks, and automated guardrails for Vercel projects. Use when setting up code quality rules, preventing secret exposure, or enforcing deployment policies for Vercel applications. Trigger with phrases like "vercel policy", "vercel lint", "vercel guardrails", "vercel best practices check", "vercel secret scan".
supabase-policy-guardrails
Enforce organizational governance for Supabase projects: shared RLS policy library with reusable templates, table and column naming conventions, migration review process with CI checks, cost alert thresholds, and security audit scripts scanning for common misconfigurations. Use when establishing Supabase standards across teams, creating RLS policy templates, setting up migration review workflows, or auditing existing projects for security and cost issues. Trigger with phrases like "supabase governance", "supabase policy library", "supabase naming convention", "supabase migration review", "supabase cost alert", "supabase security audit", "supabase RLS template".
snowflake-upgrade-migration
Upgrade Snowflake drivers, handle breaking changes, and migrate between editions. Use when upgrading snowflake-sdk or snowflake-connector-python versions, migrating between Snowflake editions, or handling deprecations. Trigger with phrases like "upgrade snowflake", "snowflake migration", "snowflake breaking changes", "update snowflake driver", "snowflake version".
snowflake-security-basics
Apply Snowflake security best practices: network policies, key rotation, MFA, encryption, and least-privilege access. Use when securing Snowflake access, implementing network policies, or auditing security configuration. Trigger with phrases like "snowflake security", "snowflake network policy", "secure snowflake", "snowflake MFA", "snowflake encryption".
snowflake-sdk-patterns
Apply production-ready Snowflake SDK patterns for snowflake-sdk and snowflake-connector-python. Use when implementing connection pooling, async execute wrappers, streaming results, or establishing team coding standards for Snowflake. Trigger with phrases like "snowflake SDK patterns", "snowflake best practices", "snowflake code patterns", "idiomatic snowflake", "snowflake connection pool".
snowflake-reliability-patterns
Implement Snowflake reliability patterns: replication, failover, Time Travel recovery, and application-level resilience for Snowflake integrations. Use when building fault-tolerant pipelines, configuring disaster recovery, or adding resilience to production Snowflake services. Trigger with phrases like "snowflake reliability", "snowflake failover", "snowflake replication", "snowflake disaster recovery", "snowflake Time Travel".
snowflake-reference-architecture
Implement Snowflake reference architecture with medallion pattern and Snowflake-native design. Use when designing a new Snowflake data platform, setting up bronze/silver/gold layers, or establishing architecture standards for a Snowflake deployment. Trigger with phrases like "snowflake architecture", "snowflake medallion", "snowflake best practices layout", "snowflake data platform design".
snowflake-rate-limits
Handle Snowflake concurrency limits, warehouse queuing, and query throttling. Use when queries are queuing, hitting concurrency limits, or needing to optimize warehouse sizing for throughput. Trigger with phrases like "snowflake rate limit", "snowflake throttling", "snowflake queuing", "snowflake concurrency", "snowflake warehouse sizing".
snowflake-prod-checklist
Execute Snowflake production readiness checklist with monitoring and rollback. Use when deploying Snowflake pipelines to production, preparing for go-live, or validating production Snowflake configuration. Trigger with phrases like "snowflake production", "snowflake go-live", "snowflake launch checklist", "snowflake prod ready".
snowflake-performance-tuning
Optimize Snowflake query performance with clustering, materialized views, caching, and query profiling. Use when queries are slow, analyzing QUERY_HISTORY for bottlenecks, or optimizing warehouse utilization and data scanning. Trigger with phrases like "snowflake performance", "optimize snowflake", "snowflake slow query", "snowflake clustering", "snowflake query profile".
snowflake-observability
Set up Snowflake observability using ACCOUNT_USAGE views, alerts, and external monitoring. Use when implementing Snowflake monitoring dashboards, setting up query performance tracking, or configuring alerting for warehouse and pipeline health. Trigger with phrases like "snowflake monitoring", "snowflake metrics", "snowflake observability", "snowflake dashboard", "snowflake alerts".