|
| 1 | +--- |
| 2 | +title: "Masking Policies" |
| 3 | +description: Get started with Masking Policies in LocalStack for Snowflake |
| 4 | +tags: ["Base"] |
| 5 | +--- |
| 6 | + |
| 7 | +## Introduction |
| 8 | + |
| 9 | +Masking policies are schema-level objects that let you define column-level data protection rules in Snowflake. They determine how sensitive data is displayed depending on the context of the query and the role of the user. For example, a masking policy can ensure that full values are shown to administrators while obfuscating values for regular users. |
| 10 | + |
| 11 | +The Snowflake emulator in LocalStack now supports **basic CRUD operations** for masking policies, which are currently mocked and not functional. While the full integration of masking policies with table data is not yet supported, you can use these operations to experiment with policy definitions and query their metadata locally. |
| 12 | + |
| 13 | +## Getting started |
| 14 | + |
| 15 | +Masking policies is intended for local development and testing. It is useful for validating schema migration scripts, Terraform workflows, or integration tests that reference masking policies. |
| 16 | + |
| 17 | +## Create, alter, and drop a masking policy |
| 18 | + |
| 19 | +### Create a masking policy |
| 20 | +You can define a masking policy using the `CREATE MASKING POLICY` statement: |
| 21 | + |
| 22 | +```sql |
| 23 | +CREATE MASKING POLICY ssn_mask AS (val STRING) |
| 24 | + RETURNS STRING -> |
| 25 | + CASE |
| 26 | + WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE') THEN val |
| 27 | + ELSE 'XXX-XX-XXXX' |
| 28 | + END; |
| 29 | +``` |
| 30 | + |
| 31 | +This policy shows the full value of a column only to users with the `FULL_ACCESS_ROLE`. All other users see a masked version. |
| 32 | + |
| 33 | +### Alter a masking policy |
| 34 | + |
| 35 | +You can update an existing masking policy using `ALTER MASKING POLICY`: |
| 36 | + |
| 37 | +```sql |
| 38 | +ALTER MASKING POLICY ssn_mask |
| 39 | + SET BODY -> |
| 40 | + CASE |
| 41 | + WHEN CURRENT_ROLE() IN ('FULL_ACCESS_ROLE', 'AUDITOR_ROLE') THEN val |
| 42 | + ELSE 'XXX-XX-XXXX' |
| 43 | + END; |
| 44 | +``` |
| 45 | + |
| 46 | +This modification expands access to include the `AUDITOR_ROLE`. |
| 47 | + |
| 48 | +### Show masking policies |
| 49 | + |
| 50 | +List existing masking policies using: |
| 51 | + |
| 52 | +```sql |
| 53 | +SHOW MASKING POLICIES; |
| 54 | +``` |
| 55 | + |
| 56 | +The result displays available masking policies and their properties. |
| 57 | + |
| 58 | +### Drop a masking policy |
| 59 | + |
| 60 | +Remove a policy using: |
| 61 | + |
| 62 | +```sql |
| 63 | +DROP MASKING POLICY ssn_mask; |
| 64 | +``` |
| 65 | + |
| 66 | +This deletes the policy definition from the emulator. |
| 67 | + |
| 68 | +:::note |
| 69 | +## Limitations |
| 70 | + |
| 71 | +- LocalStack currently supports only the CRUD operations (`CREATE`, `ALTER`, `SHOW`, `DROP`) for masking policies. |
| 72 | +- Applying masking policies to tables and enforcing them during queries is not supported yet. |
| 73 | +- Use this feature primarily for validating schema definitions and testing IaC workflows. |
| 74 | +::: |
0 commit comments