REVOKE ON STORAGE CREDENTIAL

Revokes one or more privileges on a storage credential from a principal.

Syntax

REVOKE <privilege> [, <privilege> ...] ON STORAGE CREDENTIAL <name> FROM <principal>

Description

## Overview REVOKE ON STORAGE CREDENTIAL removes privileges from a principal. The revoke is idempotent. ## Behavior - External locations already created using a now-revoked CREATE_EXTERNAL_LOCATION grant continue to exist. The revoke prevents new locations but does not remove existing ones. - Downstream grants made under WITH GRANT OPTION persist until revoked explicitly. ## Access Control Requires the `ManageGrants` privilege on the credential. ## Compatibility DeltaForge extension.

Parameters

Name	Type	Description
privileges		Specifies one or more privileges as a comma-separated list.
credential_name		Specifies the storage credential.
principal		Specifies the principal to revoke from.

Examples

REVOKE CREATE_EXTERNAL_LOCATION ON STORAGE CREDENTIAL prod_aws_role FROM ROLE pipeline_lead;

Pitfalls

• Revoking CREATE_EXTERNAL_LOCATION does not retroactively remove external locations the grantee already created using the credential. Drop those locations explicitly if they should be removed.

See Also

• GRANT_ON_STORAGE_CREDENTIAL
• SHOW_GRANTS_ON_STORAGE_CREDENTIAL