Struggling with the shift away from password authentication? Imagine if you could eliminate secret management during this transition. Now you can!
We are thrilled to announce that workload identity federation (WIF) is now generally available! This marks a significant step forward in our commitment to enhancing security and simplifying authentication for your interactions with Snowflake. With WIF, you can now seamlessly connect your applications and services to Snowflake using their existing infrastructure identities without managing any credentials.
As part of Snowflake’s mission to protect our customers in line with industry best practices, we are working toward deprecating passwords as a single authentication method for users, where appropriate. Services that authenticate to Snowflake have often relied on static secrets (usernames/passwords). While simple, these secrets are highly susceptible to compromise if not protected properly, and their secure management incurs significant administrative overhead.
Workload identity federation is the definitive answer for service users to embrace this change, providing a frictionless, secure and modern authentication experience that outperforms common alternatives for service-to-service connections in several key areas.
WIF is Snowflake’s recommended and preferred authentication method for SERVICE type users, meaning your automated workloads, applications and third-party tools. Instead of relying on long-lived secrets, WIF allows your services to dynamically obtain short-lived attestations by using their identity from their cloud providers, such as AWS, Azure or Google Cloud. It also supports platforms that have an OIDC provider such as Kubernetes, and GitHub Actions. Snowflake then verifies these attestations directly with the identity provider, granting access without ever seeing or storing your service’s static secrets.
Adopting WIF allows your applications to operate “secretless” by eliminating the need to store, manage or rotate long-lived Snowflake access credentials. This approach yields the following benefits:
Enhanced security: With no customer-managed secrets to compromise, the attack surface is dramatically reduced. WIF utilizes short-lived, ephemeral tokens, further enhancing your security posture.
Reduced complexity: Compared to previous federated methods like External OAuth, WIF significantly simplifies initial setup and reduces ongoing maintenance overhead. This means faster integration and less time spent on authentication plumbing.
Cost efficiency: Centralize your identity management by reusing existing cloud provider identities. There’s no need for extra tools or licenses to manage service identities specifically for Snowflake.
Standardized approach: WIF is a widely adopted and encouraged authentication method by top cloud providers for external workloads.
WIF is ideal for a wide range of service-to-service authentication scenarios:
Cloud-hosted custom workloads: Authenticate applications running on AWS EC2 or Lambda using IAM roles, Azure VMs or Functions with System or User Managed Identities, or Google Compute Engine and Cloud Run instances via service accounts.
CI/CD pipelines: Securely connect your GitHub Actions workflows to Snowflake, allowing your automation to interact with data without hardcoding credentials.
Containerized applications: Enable workloads running in Kubernetes to authenticate to Snowflake using OIDC federation.
ETL/ELT jobs and data pipelines: Automate data ingestion and transformation with robust, secretless authentication.
Beyond these scenarios, our goal is for your preferred third-party tools, including BI and ETL tools, to support secretless authentication via OIDC federation as well. Although we are collaborating with many providers, we encourage you to request your third-party providers’ participation in our secretless initiative and for them to adopt WIF as their preferred service-to-service authentication method to Snowflake.
Setting up WIF involves a few straightforward steps, typically requiring configuration of your cloud provider and the creation of a SERVICE user in Snowflake.
Here is an example for connecting an AWS EC2 instance:
Configure AWS: Attach an IAM role to your EC2 instance in AWS.
Create Snowflake user: Create a Snowflake SERVICE user and associate it with the ARN of your AWS IAM role using the WORKLOAD_IDENTITY property.
3. Connect with driver: Update your application to use the latest Snowflake driver and specify authenticator=’WORKLOAD_IDENTITY’ and workload_identity_provider=’AWS’in your connection string. The driver will auto-detect the platform-native credentials.
For Python:
Ready to go secretless and enhance your Snowflake security? Here are a few ways to get started:
Explore our comprehensive documentation for detailed setup guides and examples for AWS, Azure, GCP and OIDC Federation (including Kubernetes and GitHub Actions)
Upgrade to the latest Snowflake drivers to take advantage of this powerful new feature
Encourage your favorite third-party tools to embrace secretless integration, as exemplified by Salesforce Data Cloud
Review our guidance for deprecating passwords as a single authentication method
Share your feedback and help us continue to enhance the AI Data Cloud
Many thanks to the following Snowflake contributors for their work on this blog: Dima Basavin, James Kasten, Peter Mansour, Eric Woroshow and Xiaohu Zhao.
The era of enterprise AI is here. The pace of change has never been faster, and there has never been […]
The world is expected to create 181 zettabytes of data this year — an astonishing figure that just goes to […]
We are excited to announce the availability of Snowflake’s managed Model Context Protocol (MCP) servers in public preview, giving AI […]
Our services help both the big and small organisations in the identification of security breaches and provide outclass solutions to prevent any potential harm.