Authenticate with Snowflake PKI

Last updated: July 23, 2025

Snowflake allows you to use token-based authentication to secure communications and authenticate entities such as user names and passwords within its ecosystem. This is available with Public Key Infrastructure (PKI) or with Open Authorization (OAuth), and both are a mechanism that improves overall security architecture.

Note: By November 2025, Snowflake will require token-based authentication.

Before you begin

  • Generate your own token by following the Snowflake authenticator documentation.

  • Familiarize yourself with the liquibase.properties file.

  • Determine whether your team uses OAuth or PKI authentication, based on your organization's infrastructure and security standards.

  • Choose between setting the OAUTH parameter in the URL or in the liquibase.snowflake.auth.token property. It is important to know that the liquibase token property takes precedence over the equivalent parameter in the URL. So, if you set one OAUTH parameter in your URL and set another one in your token property, you will see an error. Be sure to only specify one or the other for successful authentication.

Procedure

1

In the liquibase.properties file, add your private key information under the liquibase.snowflake.auth.type section.

liquibase.snowflake.auth.type=PKI liquibase.snowflake.auth.privateKeyPath=<path_to_private_key> liquibase.snowflake.auth.privateKeyPassphrase=<Pass_phrase_to_a_private_key>

2

Specify your liquibase.snowflake.auth.privateKeyPassphrase in the liquibase.properties file.

Your private key may be encrypted. It is best practice to employ a passphrase for security purposes. If your rsa_key is encrypted, the privateKeyPassphrase is required to decrypt it.

If you use an encrypted private key and do not specify a liquibase.snowflake.auth.privateKeyPassphrase, you will see this error:

ERROR: Exception Details: Unexpected error running Liquibase: Used Private key is encrypted with a passphrase. Please provide one in the 'snowflake-auth-private-key-passphrase' configuration. For more information, please use the --log-level flag __If your rsa_key is not encrypted__, the privateKeyPassphrase is not necessary.