Snowflake CLI Azure DevOps Extension

The Snowflake CLI Azure DevOps Extension (snowflakedb/snowflake-ado-extension) installs and configures Snowflake CLI in an Azure Pipelines pipeline. Use it to automate Snowflake deployments (DCM projects, Snowpark applications, Snowflake Native Apps, and SQL scripts) from your Azure DevOps project.

How it works

The extension publishes a single pipeline task, ConfigureSnowflakeCLI@0. The task performs these steps on the agent:

  1. Installs Snowflake CLI in an isolated environment using pipx (pipx install snowflake-cli or pipx install snowflake-cli==<version>).

  2. Copies the snow executable to a known location and prepends it to the pipeline’s PATH.

  3. Copies config.toml from the repository to ~/.snowflake/config.toml (0600 on Linux/macOS). Skipped if the file is absent.

  4. When workload identity is enabled, requests an OIDC token from Azure DevOps through the specified service connection and sets the Snowflake workload identity environment variables for subsequent steps.

After the task completes, the snow command is available on PATH for every subsequent step in the job. On Windows agents, both snow and snow.exe are available.

Quick usage example

The following pipeline authenticates with Snowflake using workload identity federation (WIF) through an Azure Resource Manager service connection and runs a connection test:

trigger:
  - main

pool:
  vmImage: ubuntu-latest

steps:
  - task: ConfigureSnowflakeCLI@0
    inputs:
      cliVersion: 'latest'
      useWorkloadIdentity: true
      connectedServiceName: 'snowflake-wif-connection'
    displayName: Configure Snowflake CLI

  - script: |
      snow --version
      snow connection test -x
    displayName: Verify Snowflake connection

Inputs

The task accepts the following inputs, specified under inputs: in your pipeline YAML:

Input

Required

Default

Description

cliVersion

Yes

latest

Snowflake CLI version to install, for example 3.16.0, or latest for the newest released version.

configFilePath

No

./config.toml

Path to your config.toml, relative to the repository root. See Managing Snowflake connections.

useWorkloadIdentity

No

false

When true, configures OIDC authentication using an Azure service connection.

connectedServiceName

Conditional

(none)

Name of the Azure Resource Manager service connection. Required and shown in the pipeline editor only when useWorkloadIdentity is true.

Authentication methods

The task supports three ways of authenticating with Snowflake. Snowflake recommends workload identity federation because it avoids storing long-lived secrets in Azure DevOps.

Method

Security

Notes

Workload identity federation (WIF) with OIDC (recommended)

Secretless, short-lived tokens

Requires an Azure Entra ID App Registration with a federated credential and an Azure Resource Manager service connection.

Key pair authentication

Private key stored in pipeline variables/secrets

Works with any Snowflake CLI version. Combined with config.toml or environment variable overrides.

Password authentication

Password stored in pipeline variables/secrets

Legacy option, not recommended for production pipelines.

Workload identity federation (WIF) with OIDC

With WIF, Azure DevOps obtains a short-lived OIDC token through the configured Azure Resource Manager service connection, and Snowflake validates the token directly. No private key or password is stored in Azure DevOps.

Create the service user

Create a Snowflake service user that trusts Azure DevOps OIDC:

CREATE USER ado_cicd_user
  TYPE = SERVICE
  WORKLOAD_IDENTITY = (
    TYPE = OIDC
    ISSUER = 'https://vstoken.dev.azure.com/<azure-ad-tenant-id>'
    SUBJECT = 'sc://<ado-org>/<ado-project>/<service-connection-name>'
    OIDC_AUDIENCE_LIST = ('api://AzureADTokenExchange')
  );

The ISSUER incorporates your Azure AD tenant ID, and the SUBJECT uses the Azure DevOps service connection identifier format (sc://<org>/<project>/<connection>). The OIDC_AUDIENCE_LIST must be api://AzureADTokenExchange.

Configure the task

Create an Azure Resource Manager service connection with a federated credential that trusts Snowflake’s audience (see the Azure documentation on workload identity federation with Azure DevOps), then reference the service connection from the task:

steps:
  - task: ConfigureSnowflakeCLI@0
    inputs:
      cliVersion: 'latest'
      useWorkloadIdentity: true
      connectedServiceName: 'snowflake-wif-connection'

  - script: |
      snow connection test -x
      snow dcm deploy --target PROD -x
    env:
      SNOWFLAKE_ACCOUNT: $(SNOWFLAKE_ACCOUNT)

When useWorkloadIdentity: true is set, the task exports the following environment variables for subsequent steps:

  • SNOWFLAKE_AUTHENTICATOR=WORKLOAD_IDENTITY

  • SNOWFLAKE_WORKLOAD_IDENTITY_PROVIDER=OIDC

  • SNOWFLAKE_TOKEN=<oidc-token> (marked as a pipeline secret)

For broader context, see Workload identity federation.

Key pair authentication

Store your Snowflake private key as an Azure DevOps secret variable and pass it through the environment. You can use a temporary connection (no config.toml required) or a named connection defined in config.toml.

steps:
  - task: ConfigureSnowflakeCLI@0
    inputs:
      cliVersion: '3.16.0'

  - script: |
      snow connection test -x
      snow dcm deploy --target PROD -x
    env:
      SNOWFLAKE_AUTHENTICATOR: SNOWFLAKE_JWT
      SNOWFLAKE_USER: $(SNOWFLAKE_USER)
      SNOWFLAKE_ACCOUNT: $(SNOWFLAKE_ACCOUNT)
      SNOWFLAKE_PRIVATE_KEY_RAW: $(SNOWFLAKE_PRIVATE_KEY_RAW)
      PRIVATE_KEY_PASSPHRASE: $(PRIVATE_KEY_PASSPHRASE)

For connection-file-based authentication, commit a config.toml with an empty connection block and supply the credentials through SNOWFLAKE_CONNECTIONS_<NAME>_* environment variables. See Managing Snowflake connections.

Password authentication

Password authentication is supported for legacy workflows but is not recommended for production CI/CD. Unset SNOWFLAKE_AUTHENTICATOR and pass SNOWFLAKE_PASSWORD:

steps:
  - task: ConfigureSnowflakeCLI@0
    inputs:
      cliVersion: 'latest'

  - script: snow connection test -x
    env:
      SNOWFLAKE_USER: $(SNOWFLAKE_USER)
      SNOWFLAKE_ACCOUNT: $(SNOWFLAKE_ACCOUNT)
      SNOWFLAKE_PASSWORD: $(SNOWFLAKE_PASSWORD)

Note

When using a password and MFA, Snowflake recommends enabling MFA caching.

Platform support

The task runs on Linux, macOS, and Windows Azure Pipelines agents. Note the following platform-specific behavior:

  • Linux and macOS: the copied config.toml is set to 0600 permissions. The snow executable is available on PATH.

  • Windows: file permissions on config.toml are not modified. Both snow and snow.exe are available on PATH.

The task runs on the Node 16 agent runtime.

Using a pre-installed Snowflake CLI

If Snowflake CLI is already installed on a self-hosted agent image (for example, baked into a custom agent pool), set the DISABLE_SNOW_INSTALLATION_WITH_PIPX environment variable on the task to skip the pipx installation step:

steps:
  - task: ConfigureSnowflakeCLI@0
    inputs:
      cliVersion: 'latest'
      useWorkloadIdentity: true
      connectedServiceName: 'snowflake-wif-connection'
    env:
      DISABLE_SNOW_INSTALLATION_WITH_PIPX: 'true'

The task still copies your config.toml and configures authentication. You are responsible for ensuring snow is on PATH and that the version matches the one declared in cliVersion.