Snowflake Connector for Python release notes for 2026¶
This article contains the release notes for the Snowflake Connector for Python, including the following when applicable:
- Behavior changes
- New features
- Customer-facing bug fixes
Snowflake uses semantic versioning for Snowflake Connector for Python updates.
See Snowflake Connector for Python for documentation.
Version 4.7.1 (July 15, 2026)¶
New features and updates¶
- Added support for Python 3.14t (free-threaded).
- Note: Python 3.14t is not supported on
win_arm64becausecryptographywheels are not yet available for that platform and architecture combination.
- Note: Python 3.14t is not supported on
- Improved URL validation reliability by replacing the hand-rolled regex in
is_valid_url()withurllib.parse.urlparse. - Removed the pandas upper bound dependency constraint on the
[pandas]extra to allow installation of pandas 3.0.0 and later. - Added native AKS (Azure Kubernetes Service) workload identity support. When running on AKS with workload identity configured, the connector automatically uses
WorkloadIdentityCredentialto authenticate using the injected service account credentials. OIDC backward compatibility is also supported. - Added the
workload_identity_aws_use_outbound_tokenconnection option (defaultfalse) to opt into AWS WIF JWT attestation using the STSGetWebIdentityTokenaction instead of the default SigV4GetCallerIdentitymethod. This connection option supersedes theSNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKENenvironment variable introduced in version 4.5.0, which will be removed in a future release.
Bug fixes¶
- Improved verification of TLS connections.
- Fixed
python-connector.lognot rotating on Windows, and every record being logged twice, when easy logging is enabled usingconfig.toml.- Note: As part of this fix, easy logging no longer calls
logging.basicConfig()and therefore no longer configures the root logger.python-connector.lognow captures only thesnowflake.connector,botocore, andboto3loggers.
- Note: As part of this fix, easy logging no longer calls
- Fixed an OAuth infinite loop when tokens expire by ensuring
reauthenticate()calls_request_tokens()directly instead of looping throughprepare(). The token cache is now read exactly once per connection, and_store_tokens()preserves the macOS Keychain ACL by never callingremove(). The async OAuthreauthenticate()now runs the synchronous OAuth flow on a worker thread instead of blocking the event loop. - Fixed OAuth scope handling for Snowflake custom OAuth: when refresh tokens are enabled, the connector no longer appends the OIDC
offline_accessscope for token endpoints on*.snowflakecomputing.comor*.snowflakecomputing.cn, which causedinvalid_scopeerrors. Snowflake custom OAuth expectsrefresh_tokenin the scope instead. External IdP behavior is unchanged. - Fixed input validation for the
scalemetadata in Arrow result set processing forTIME,TIMESTAMP_NTZ,TIMESTAMP_LTZ, andTIMESTAMP_TZcolumns. - Fixed the S3 storage client to correctly handle 307/308 (method-preserving) and 301/302 (GET/HEAD only) redirects by disabling automatic redirect following and re-signing each request with AWS SigV4 credentials for the redirect target. The region is updated from the
x-amz-bucket-regionresponse header on each redirect. Redirects are capped at 5 hops. - Fixed a bug where a fully-qualified DDL statement (for example,
CREATE VIEW db.schema.obj) on a session with no current schema would populate the connector’s cached schema and database from the referenced object’s namespace. This madeget_current_schema()diverge from the server’sCURRENT_SCHEMA()and mis-qualified Snowpark temporary objects.
Version 3.18.1 (July 15, 2026)¶
New features and updates¶
- None.
Bug fixes¶
- Improved verification of TLS connections.
Version 4.6.0 (May 28, 2026)¶
New features and updates¶
- Bumped vendored
urllib3to version 2.7.0. - Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (
account_provided,account_with_region,account_org_provided,region_provided,host_provided). No hostname or account value is included. - The telemetry is gated by the existing server-side
CLIENT_TELEMETRY_ENABLEDparameter and can additionally be disabled locally by settingSF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. Collection is time-boxed and will be removed in a future release.
Deprecated features¶
- Dropped support for Python 3.9. The minimum supported Python version is now 3.10.
Bug fixes¶
- Fixed sdist to only install the minicore binary matching the current platform. Previous 4.x releases copied every platform’s minicore
.so/.dylib/.dllinto the install prefix, which broke downstream packagers (for example, Homebrew) whose audits reject foreign-architecture binaries.
Version 4.5.0 (May 12, 2026)¶
New features and updates¶
- Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
- Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
- Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
- Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the
SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKENenvironment variable totrue. This environment variable will be removed in a future release. - Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files. The
SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORSenvironment variable is now a no-op. - Updated SPCS token injection to gate on the
SNOWFLAKE_RUNNING_INSIDE_SPCSenvironment variable, trim whitespace, and remove the configurable token path. - GCP WIF attestation now uses hostname
metadata.google.internalinstead of the IPv4 link-local address, so it works on IPv6-only GCP VMs. - Added validation of the
accountconnection parameter so malformed identifiers (for example path-like values or labels outside letters, digits,_, and-) are rejected withProgrammingErrorbefore login. - Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.
Bug fixes¶
- Fixed
write_pandastemp stage name collisions. The old PRNG could produce identical name sequences in forked processes (for example, Notebook kernels), causingCREATE TEMPORARY STAGEto fail with “Object already exists”. - Fixed a security bug in Okta SAML authentication where
_is_prefix_equal()comparedurl1’s port against itself instead ofurl2’s port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to useintinstead ofstrfor correct comparison when one URL omits the port. - Fixed
executemanywithparamstyle="pyformat"to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behavior with nested function calls such as SQLAlchemy@compiles VARIANTpatterns (for example,PARSE_JSON(%(col)s)) and subquery-form INSERTs. - Fixed a bug where
write_pandas()withauto_create_table=Falseandoverwrite=Truewould executeCREATE TABLE IF NOT EXISTS, which required unnecessaryOWNERSHIPprivilege on the table. Now onlyTRUNCATE TABLEis executed in this case.
Version 4.4.0 (Mar 25, 2026)¶
New features and updates¶
- Bumped the lower boundary of the
cryptographypackage to 46.0.5 to address CVE-2026-26007. - Added support for Python 3.14.
- Removed the upper bound dependency constraint on
pyOpenSSLto allow installation ofpyOpenSSL26.0.0+, which includes a fix for GHSA-vp96-hxj8-p424.
Deprecated features¶
- Renamed the environment variable for skipping config file permission warnings from
SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILEtoSF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. The old variable is still supported but emits a deprecation warning.
Bug fixes¶
- Fixed the Azure IMDS
Metadataheader to use lowercase"true"instead of"True", which caused 400 errors during Azure Workload Identity Federation authentication. - Fixed the default
crl_download_max_sizeto be 20MB instead of 200MB to prevent potential out-of-memory issues. - Fixed a bug where Azure GET commands would incorrectly set the file status to
UPLOADEDinstead of preserving theDOWNLOADEDstatus during metadata retrieval. - Fixed the
unsafe_skip_file_permissions_checkflag not being respected when readingconnections.toml. - Fixed a
JSONDecodeErrorinresult_batch._load()when fetching large result sets.
Version 4.3.0 (Feb 12, 2026)¶
Deprecated features¶
- Deprecated support for custom revocation error classes in OCSP response cache deserialization.
By default, only
RevocationCheckErrorexceptions are deserialized from OCSP cache. Custom exception classes can be temporarily enabled by setting theSNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORSenvironment variable totrueor1, but this support will be removed in a future release.
New features and updates¶
- Bumped vendored
urllib3to version 2.6.3. - Added
force_microseconds_precisiontocursor.fetch_arrow_allandcursor.fetch_pandas_allto avoid PyArrow schema inconsistencies between batches. - Added a warning when using HTTP protocol for OAuth URLs.
- Updated the
server_session_keep_aliveparameter inSnowflakeConnectionto skip checking for pending asynchronous queries, providing faster connection close times, especially when many asynchronous queries are executed.
Bug fixes¶
- Fixed the string representation of
INTERVAL YEARandINTERVAL MONTHtypes. - Ensured proper list conversions; the converter now runs
to_snowflakeon all list items.
Version 4.2.0 (Jan 07, 2026)¶
New features and updates¶
- Added the
SnowflakeCursor.statsproperty to expose granular DML statistics (rows inserted, deleted, updated, and duplicates) for operations like CTAS whererowcountis insufficient. - Added support for injecting Snowpark Container Services (SPCS) service identifier tokens (
SPCS_TOKEN) into login requests when present in SPCS containers. - Introduced a shared library for extended telemetry to identify and prepare testing platforms for native Rust extensions.
Bug fixes¶
- None.