@@ -464,6 +464,20 @@ Finally, are the proper steps for deprovisioning existing users which are not ma
For more information, watch this [recorded pairing session](https://youtu.be/-vpH0aSeO9c)(must be viewed as GitLab Unfiltered).
### System accounts
System accounts are fully created and managed through code in our [Snowflake Terraform project](https://gitlab.com/gitlab-data/snowflake-infrastructure/), except for the token key which is stored and configured separately.
Service users (a service or application that interacts with Snowflake without human interaction) are fully created and managed through code in our [Snowflake Terraform project](https://gitlab.com/gitlab-data/snowflake-infrastructure/), except for the token key which is stored and configured separately.
1. Service users are created through Terraform code
2. Service user roles (standard equals the user) are created through Terraform code
3. Network security policies are created and corresponding IPs are set via Terraform code
4. Token keys are created, stored, and set separately. See these handbooks:
* Key-pair authentication -> *Link will be added when runbook is available*
* Personal Access Tokens (PAT) -> *Link will be added when runbook is available*
### Snowflake Permissions Paradigm
We use [Permifrost](https://gitlab.com/gitlab-data/permifrost/) to help manage permissions for Snowflake.
