Authenticate with Snowflake PKI or OAuth

Snowflake allows you to use token based authentication to secure communications and authenticate entities such as user names and passwords within its ecosystem. This is available with Public Key Infrastructure (PKI) or with Open Authorization (OAuth) and both are a mechanism that improves overall security architecture.

Note: By November 2025, Snowflake will require token-based authentication.

Before you begin

  • Generate your own token by following the Snowflake authenticator documentation
  • Familiarize yourself with the liquibase.properties file.
  • Determine whether your team uses OAuth or PKI authentication, based on your organization's infrastructure and security standards.
  • Choose between setting the OAUTH parameter in the URL or in the liquibase.snowflake.auth.token property.
    It is important to know that the liquibase token property takes precedence over the equivalent parameter in the URL. So, if you set one OAUTH parameter in your URL, and you set another one in your token property, you will see an error. Be sure to only specify one or the other for successful authentication.

OAuth Step-by-step

  1. In the liquibase.properties file, add your token under the authMechanism=OAUTH section:
    • Copy
      liquibase.snowflake.auth.type=oauth
      liquibase.snowflake.auth.token=your_token

PKI Step-by-step

  1. In the liquibase.properties file, add your private key information under the liquibase.snowflake.auth.type section:
    • Copy
      liquibase.snowflake.auth.type=PKI
      liquibase.snowflake.auth.privateKeyPath=<path_to_private_key>
      liquibase.snowflake.auth.privateKeyPassphrase=<Pass_phrase_to_a_private_key>
  2. PrivateKeyPassphrase options:
    Your private key may be encrypted. It is best practice to employ a passphrase for security purposes.
    • If your rsa_key is encrypted, the privateKeyPassphrase is required to decrypt it.
      Specify your liquibase.snowflake.auth.privateKeyPassphrase in the liquibase.properties file.
      If you are using an encrypted private key and do not specify a liquibase.snowflake.auth.privateKeyPassphrase, you will see this error:
      Copy
      ERROR: Exception Details: Unexpected error running Liquibase: Used Private key is encrypted with a passphrase. Please provide one in the 'snowflake-auth-private-key-passphrase' configuration.  For more information, please use the --log-level flag
    • If your rsa_key is not encrypted, the privateKeyPassphrase is not necessary.