Snowflake Connection¶
The Snowflake connection type enables integrations with Snowflake.
Authenticating to Snowflake¶
Authenticate to Snowflake using the Snowflake python connector default authentication.
Default Connection IDs¶
Hooks, operators, and sensors related to Snowflake use snowflake_default by default.
Configuring the Connection¶
- Login
Specify the snowflake username. For OAuth, the OAuth Client ID.
- Password
Specify the snowflake password. For public key authentication, the passphrase for the private key. For OAuth, the OAuth Client Secret. For Programmatic Access Token (PAT) authentication, specify the PAT token value.
- Schema (optional)
Specify the snowflake schema to be used.
- Extra (optional)
Specify the extra parameters (as json dictionary) that can be used in the snowflake connection. The following parameters are all optional:
account: Snowflake account name.database: Snowflake database name.region: Warehouse region.warehouse: Snowflake warehouse name.role: Snowflake role.authenticator: To connect using OAuth set this parameteroauth. To connect without a stored secret using Workload Identity Federation, set it toWORKLOAD_IDENTITYand also setworkload_identity_provider(see below). For Programmatic Access Token (PAT) authentication, no special authenticator is required — simply set the PAT token as the Password field. See Snowflake PAT documentation.workload_identity_provider: The cloud whose workload identity is used as the Snowflake credential whenauthenticatorisWORKLOAD_IDENTITY. One ofAWS,AZURE,GCPorOIDC. With Workload Identity Federation no long-lived secret (password, key-pair or PAT) is stored; the workload’s cloud identity is the credential. Requiressnowflake-connector-python>=3.17.0and the workload to run on the matching cloud.AWS,AZUREandGCPfetch the identity token from the cloud’s metadata service.OIDCinstead requires the token to be supplied viatokenortoken_file_path(see below); see custom OIDC configuration.token: The OIDC ID token (JWT) used whenworkload_identity_providerisOIDC. Prefertoken_file_pathfor tokens that rotate.token_file_path: Path to a file holding the OIDC ID token used whenworkload_identity_providerisOIDC. The connector reads the token from this file, which suits projected or rotated tokens (for example a Kubernetes service-account token).token_endpoint: Specify token endpoint for external OAuth provider.grant_type: Specify grant type for OAuth authentication. Currently supported:refresh_token(default),client_credentials.scope: Specify OAuth scope to include in the access token request for any OAuth grant type.refresh_token: Specify refresh_token for OAuth connection.azure_conn_id: Azure Connection ID to be used for retrieving the OAuth token using Azure Entra authentication. Login and Password fields aren’t required when using this method. Scope for the Azure OAuth token can be set in the config optionazure_oauth_scopeunder the section[snowflake]. Requires apache-airflow-providers-microsoft-azure>=12.8.0.private_key_file: Specify the path to the private key file.private_key_content: Specify the content of the private key file, either in plain text or base64 encoded. When using the Airflow UI to manage the Snowflake connection, you should base64 encode theprivate_key_content. You can use the following Python code to encode the private key:import base64 with open("path/to/private_key.pem", "rb") as key_file: private_key_content = base64.b64encode(key_file.read()).decode("utf-8") print(private_key_content)
session_parameters: Specify session level parameters.insecure_mode: Turn off OCSP certificate checks. For details, see: How To: Turn Off OCSP Checking in Snowflake Client Drivers - Snowflake Community.host: Target Snowflake hostname to connect to (e.g., for local testing with LocalStack).port: Target Snowflake port to connect to (e.g., for local testing with LocalStack).ocsp_fail_open: Specify ocsp_fail_open.proxy_host: Proxy hostname to use for connecting to Snowflake.proxy_port: Proxy port to use for connecting to Snowflake.proxy_user: Proxy username for authentication with the proxy server.proxy_password: Proxy password for authentication with the proxy server.
URI format example¶
If serializing with Airflow URI:
export AIRFLOW_CONN_SNOWFLAKE_DEFAULT='snowflake://user:password@/db-schema?account=account&database=snow-db®ion=us-east&warehouse=snow-warehouse'
When specifying the connection as an environment variable in Airflow versions prior to 2.3.0, you need to specify the connection using the URI format.
Note that all components of the URI should be URL-encoded.
JSON format example¶
If serializing with JSON:
export AIRFLOW_CONN_SNOWFLAKE_DEFAULT='{
"conn_type": "snowflake",
"login": "user",
"password": "password",
"schema": "db-schema",
"extra": {
"account": "account",
"database": "database",
"region": "us-east",
"warehouse": "snow-warehouse"
}
}'
JSON format example with Programmatic Access Token (PAT)¶
To authenticate using a Programmatic Access Token, set the PAT token as the password with no special authenticator required:
export AIRFLOW_CONN_SNOWFLAKE_DEFAULT='{
"conn_type": "snowflake",
"login": "user",
"password": "<programmatic_access_token>",
"extra": {
"account": "account",
"database": "database",
"warehouse": "snow-warehouse",
"role": "role"
}
}'
JSON format example with Workload Identity Federation (WIF)¶
To authenticate without a stored secret using
Workload Identity Federation,
set authenticator to WORKLOAD_IDENTITY and workload_identity_provider to the cloud the
workload runs on (here GCP). No password, key-pair or token is stored; the workload’s cloud identity
is the credential. The Snowflake side needs a TYPE = SERVICE user that trusts the workload’s identity
and is granted a role with access to the target objects.
export AIRFLOW_CONN_SNOWFLAKE_DEFAULT='{
"conn_type": "snowflake",
"login": "service-user",
"extra": {
"account": "account",
"database": "database",
"warehouse": "snow-warehouse",
"role": "role",
"authenticator": "WORKLOAD_IDENTITY",
"workload_identity_provider": "GCP"
}
}'