Authenticate with Snowflake PKI
Last updated: July 23, 2025
Snowflake allows you to use token-based authentication to secure communications and authenticate entities such as user names and passwords within its ecosystem. This is available with Public Key Infrastructure (PKI) or with Open Authorization (OAuth), and both are a mechanism that improves overall security architecture.
Note: By November 2025, Snowflake will require token-based authentication.
Before you begin
Generate your own token by following the Snowflake authenticator documentation.
Familiarize yourself with the liquibase.properties file.
Determine whether your team uses OAuth or PKI authentication, based on your organization's infrastructure and security standards.
Choose between setting the
OAUTH
parameter in the URL or in theliquibase.snowflake.auth.token
property. It is important to know that the liquibase token property takes precedence over the equivalent parameter in the URL. So, if you set oneOAUTH
parameter in your URL and set another one in your token property, you will see an error. Be sure to only specify one or the other for successful authentication.
Procedure
In the liquibase.properties file, add your private key information under the liquibase.snowflake.auth.type section.
liquibase.snowflake.auth.type=PKI liquibase.snowflake.auth.privateKeyPath=<path_to_private_key> liquibase.snowflake.auth.privateKeyPassphrase=<Pass_phrase_to_a_private_key>
Specify your liquibase.snowflake.auth.privateKeyPassphrase in the liquibase.properties file.
Your private key may be encrypted. It is best practice to employ a passphrase for security purposes. If your rsa_key
is encrypted, the privateKeyPassphrase
is required to decrypt it.
If you use an encrypted private key and do not specify a liquibase.snowflake.auth.privateKeyPassphrase, you will see this error:
ERROR: Exception Details: Unexpected error running Liquibase: Used Private key is encrypted with a passphrase. Please provide one in the 'snowflake-auth-private-key-passphrase' configuration. For more information, please use the --log-level flag
__If your rsa_key is not encrypted__, the privateKeyPassphrase is not necessary.