Snowflake CI/CD Component for GitLab¶
The Snowflake CI/CD Component for GitLab (snowflake-dev/snowflake-cicd-component) installs and configures Snowflake CLI in a GitLab CI/CD pipeline. Use it to automate Snowflake deployments (DCM projects, Snowpark applications, Snowflake Native Apps, and SQL scripts) from your GitLab project.
How it works¶
The component publishes two surfaces, both supplied by the same setup logic:
A published job that installs Snowflake CLI, deploys
config.toml, and configures OIDC, then runs the commands you pass viainputs.script:. This is the simplest way to use the component (single-job pipelines). You can rename the job viainputs.job-name:.A hidden job template (
.configure-snowflake-cli) that youextends:from your own jobs when you needsnowin more than one job. Setinputs.template-only: trueto suppress the published job. See Multiple snow-using jobs.
The shared before_script::
Installs the
uvPython package manager.Installs Snowflake CLI in an isolated environment (
uv tool install snowflake-cli).Copies
config.tomlfrom the repository to~/.snowflake/config.tomlwith0600permissions. Skipped if the file is absent.When OIDC authentication is enabled, instructs GitLab to generate a short-lived ID token and exports the Snowflake workload identity environment variables.
Note
Each GitLab CI job runs in its own container, so the Snowflake CLI install does not travel between jobs. To run snow in a job, either pass your commands through inputs.script: (single-job pipelines) or extends: .configure-snowflake-cli from your own job (multi-job pipelines).
Quick usage example¶
Include the component and pass your snow commands through inputs.script:. The component installs Snowflake CLI and runs your commands in the same container, so snow is on PATH for everything you pass.
Inputs¶
The component accepts the following inputs, specified under inputs: in your include: block:
Input |
Required |
Default |
Description |
|---|---|---|---|
|
No |
(latest) |
Snowflake CLI version to install, for example |
|
No |
|
Path to your |
|
No |
|
When |
|
No |
|
Audience claim to request for the GitLab ID token. |
|
No |
|
Pipeline stage in which the published job runs. Override if your pipeline declares custom |
|
No |
|
Name of the published job. Override to give the job a meaningful name in pipeline output (for example, |
|
No |
(no-op echo) |
Commands the published job runs after Snowflake CLI is installed. Pass your |
|
No |
|
When |
Authentication methods¶
The component supports three ways of authenticating with Snowflake. Snowflake recommends OIDC because it avoids storing long-lived secrets in GitLab.
Method |
Security |
Notes |
|---|---|---|
Workload identity federation (WIF) with OIDC (recommended) |
Secretless, short-lived tokens |
Requires Snowflake CLI 3.11 or later. |
Private key stored in GitLab CI/CD variables |
Works with any Snowflake CLI version. Combined with |
|
Password stored in GitLab CI/CD variables |
Legacy option, not recommended for production pipelines. |
Workload identity federation (WIF) with OIDC¶
Note
OIDC authentication requires Snowflake CLI version 3.11.0 or later.
With WIF OIDC, GitLab issues a short-lived ID token that Snowflake validates directly. No private key or password is stored in GitLab.
Create the service user¶
Create a Snowflake service user that trusts GitLab’s OIDC provider:
The SUBJECT value depends on your GitLab project path and the Git ref that runs the pipeline. For details on GitLab’s ID token claims, see the GitLab documentation on OIDC ID token authentication.
Configure the component¶
Store your Snowflake account identifier as a GitLab CI/CD variable (see the GitLab documentation on defining CI/CD variables), then set use-oidc: true on the component:
When use-oidc: true is set, the component exports the following environment variables in the same container as your inputs.script::
SNOWFLAKE_AUTHENTICATOR=WORKLOAD_IDENTITYSNOWFLAKE_WORKLOAD_IDENTITY_PROVIDER=OIDCSNOWFLAKE_TOKEN=<id-token>
For broader context, see Workload identity federation.
Key pair authentication¶
Store your Snowflake private key as a GitLab CI/CD variable (preferably masked and file-typed) and pass it through the environment. You can use a temporary connection (no config.toml required) or a named connection defined in config.toml.
For connection-file-based authentication, commit a config.toml with an empty connection block and supply the credentials through SNOWFLAKE_CONNECTIONS_<NAME>_* variables. See Managing Snowflake connections.
Password authentication¶
Password authentication is supported for legacy workflows but is not recommended for production CI/CD. Unset SNOWFLAKE_AUTHENTICATOR and pass SNOWFLAKE_PASSWORD:
Note
When using a password and MFA, Snowflake recommends enabling MFA caching.
Multiple snow-using jobs¶
For pipelines that run snow from more than one job (for example, a build/test stage that validates your project, then a separate deploy stage), include the component once with template-only: true and extends: .configure-snowflake-cli from each job that needs snow. The hidden template’s before_script: runs in each extending job’s container, so each job gets its own Snowflake CLI install, config.toml, and (when use-oidc: true) a fresh ID token. Setting template-only: true suppresses the published job so you don’t get a phantom in your pipeline.
Pipeline stage configuration¶
The component runs the published job in the stage named by the stage input (default build). The stage must exist in your pipeline’s stages: list. To run the job in a different stage, declare the stage and set the input: