From e638a0ae80bdcaecd1bbfc6703154641b3fca5da Mon Sep 17 00:00:00 2001 From: Quetzalli Writes Date: Thu, 18 Sep 2025 20:07:13 +0200 Subject: [PATCH 1/5] draft 1 --- .../snowflake/features/masking-policies.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 src/content/docs/snowflake/features/masking-policies.md diff --git a/src/content/docs/snowflake/features/masking-policies.md b/src/content/docs/snowflake/features/masking-policies.md new file mode 100644 index 00000000..d6ba86ef --- /dev/null +++ b/src/content/docs/snowflake/features/masking-policies.md @@ -0,0 +1,79 @@ +--- +title: "Masking Policies" +description: Get started with Masking Policies in LocalStack for Snowflake +tags: ["Base"] +--- + +## Introduction + +Masking policies are schema-level objects that let you define column-level data protection rules in Snowflake. They determine how sensitive data is displayed depending on the context of the query and the role of the user. For example, a masking policy can ensure that full values are shown to administrators while obfuscating values for regular users. + +The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies. This allows you to create, alter, drop, and show masking policies locally. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata. + +## Getting started +To begin using masking policies in LocalStack: + +1. Start your Snowflake emulator. +2. Connect to the emulator using an SQL client. +3. Use SQL statements such as `CREATE MASKING POLICY`, `ALTER MASKING POLICY`, `DROP MASKING POLICY`, and `SHOW MASKING POLICIES` to manage policies. + +This feature is intended for local development and testing. It is useful for validating schema migration scripts, Terraform workflows, or integration tests that reference masking policies. + +## Create, alter, and drop a masking policy + +### Create a masking policy +You can define a masking policy using the `CREATE MASKING POLICY` statement: + +```sql +CREATE MASKING POLICY ssn_mask AS (val STRING) + RETURNS STRING -> + CASE + WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE') THEN val + ELSE 'XXX-XX-XXXX' + END; +``` + +This policy shows the full value of a column only to users with the `FULL_ACCESS_ROLE`. All other users see a masked version. + +### Alter a masking policy + +You can update an existing masking policy using `ALTER MASKING POLICY`: + +```sql +ALTER MASKING POLICY ssn_mask + SET BODY -> + CASE + WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE', 'AUDITOR_ROLE') THEN val + ELSE 'XXX-XX-XXXX' + END; +``` + +This modification expands access to include the `AUDITOR_ROLE`. + +### Show masking policies + +List existing masking policies using: + +```sql +SHOW MASKING POLICIES; +``` + +The result displays available masking policies and their properties. + +### Drop a masking policy + +Remove a policy using: + +```sql +DROP MASKING POLICY ssn_mask; +``` + +This deletes the policy definition from the emulator. + +::: +## Limitations + +- LocalStack currently supports only the CRUD operations (CREATE, ALTER, SHOW, DROP) for masking policies. +- Applying masking policies to tables and enforcing them during queries is not supported yet. +- Use this feature primarily for validating schema definitions and testing IaC workflows. +::: \ No newline at end of file From 8a75182e627a3395765076a557d95de9486898d3 Mon Sep 17 00:00:00 2001 From: Quetzalli Writes Date: Thu, 18 Sep 2025 20:11:21 +0200 Subject: [PATCH 2/5] fix command markup --- src/content/docs/snowflake/features/masking-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/snowflake/features/masking-policies.md b/src/content/docs/snowflake/features/masking-policies.md index d6ba86ef..e30c3194 100644 --- a/src/content/docs/snowflake/features/masking-policies.md +++ b/src/content/docs/snowflake/features/masking-policies.md @@ -70,10 +70,10 @@ DROP MASKING POLICY ssn_mask; This deletes the policy definition from the emulator. -::: +:::note ## Limitations -- LocalStack currently supports only the CRUD operations (CREATE, ALTER, SHOW, DROP) for masking policies. +- LocalStack currently supports only the CRUD operations (`CREATE`, `ALTER`, `SHOW`, `DROP`) for masking policies. - Applying masking policies to tables and enforcing them during queries is not supported yet. - Use this feature primarily for validating schema definitions and testing IaC workflows. ::: \ No newline at end of file From 7eb017735d1a71c144347051ef993b2107e5e4ad Mon Sep 17 00:00:00 2001 From: Quetzalli Date: Mon, 22 Sep 2025 03:51:01 -0700 Subject: [PATCH 3/5] Apply suggestions from code review --- src/content/docs/snowflake/features/masking-policies.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/content/docs/snowflake/features/masking-policies.md b/src/content/docs/snowflake/features/masking-policies.md index e30c3194..1306d8bc 100644 --- a/src/content/docs/snowflake/features/masking-policies.md +++ b/src/content/docs/snowflake/features/masking-policies.md @@ -11,13 +11,8 @@ Masking policies are schema-level objects that let you define column-level data The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies. This allows you to create, alter, drop, and show masking policies locally. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata. ## Getting started -To begin using masking policies in LocalStack: -1. Start your Snowflake emulator. -2. Connect to the emulator using an SQL client. -3. Use SQL statements such as `CREATE MASKING POLICY`, `ALTER MASKING POLICY`, `DROP MASKING POLICY`, and `SHOW MASKING POLICIES` to manage policies. - -This feature is intended for local development and testing. It is useful for validating schema migration scripts, Terraform workflows, or integration tests that reference masking policies. +Masking policies is intended for local development and testing. It is useful for validating schema migration scripts, Terraform workflows, or integration tests that reference masking policies. ## Create, alter, and drop a masking policy From 9dba8a11f3731f9d5587ccab3dd1638e04697e38 Mon Sep 17 00:00:00 2001 From: Quetzalli Date: Mon, 22 Sep 2025 04:07:11 -0700 Subject: [PATCH 4/5] Apply suggestions from code review --- src/content/docs/snowflake/features/masking-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/snowflake/features/masking-policies.md b/src/content/docs/snowflake/features/masking-policies.md index 1306d8bc..bed22448 100644 --- a/src/content/docs/snowflake/features/masking-policies.md +++ b/src/content/docs/snowflake/features/masking-policies.md @@ -8,7 +8,7 @@ tags: ["Base"] Masking policies are schema-level objects that let you define column-level data protection rules in Snowflake. They determine how sensitive data is displayed depending on the context of the query and the role of the user. For example, a masking policy can ensure that full values are shown to administrators while obfuscating values for regular users. -The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies. This allows you to create, alter, drop, and show masking policies locally. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata. +The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies, not the actual implementation or usage of them. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata locally. ## Getting started From cff754596e493f35e5e9e36b574b0d60510c1b9c Mon Sep 17 00:00:00 2001 From: Quetzalli Date: Mon, 22 Sep 2025 06:14:15 -0700 Subject: [PATCH 5/5] Apply suggestions from code review --- src/content/docs/snowflake/features/masking-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/snowflake/features/masking-policies.md b/src/content/docs/snowflake/features/masking-policies.md index bed22448..db676a71 100644 --- a/src/content/docs/snowflake/features/masking-policies.md +++ b/src/content/docs/snowflake/features/masking-policies.md @@ -8,7 +8,7 @@ tags: ["Base"] Masking policies are schema-level objects that let you define column-level data protection rules in Snowflake. They determine how sensitive data is displayed depending on the context of the query and the role of the user. For example, a masking policy can ensure that full values are shown to administrators while obfuscating values for regular users. -The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies, not the actual implementation or usage of them. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata locally. +The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies, which are currently mocked and not functional. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata locally. ## Getting started