Snowflake CLI release notes for 2026

This article contains the release notes for the Snowflake CLI, including the following when applicable:

  • Behavior changes
  • New features
  • Customer-facing bug fixes

See Snowflake CLI for documentation.

Version 3.22.0 (Jul 07, 2026)

New features and updates

  • Added a tags field to the Streamlit entity so that you can set object tags with snow streamlit deploy.
  • config.toml and connections.toml files with 0644 permissions (readable by group or others) now emit a warning instead of a hard error when SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION=true or SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION=true is set, aligning with the behavior of snowflake-connector-python. Files that are writable by group or others remain a hard error regardless of the environment variable.

Bug fixes

  • snow app setup now correctly preserves case-sensitive (double-quoted) identifiers in the generated snowflake.yml. Previously, values such as "lower_db" were silently stripped of their surrounding quotes, which caused Snowflake to uppercase the identifier and fail to locate the object.
  • snow app setup no longer writes build_compute_pool or service_compute_pool to the generated snowflake.yml, and no longer reads the DEFAULT_SNOWFLAKE_APPS_BUILD_COMPUTE_POOL or DEFAULT_SNOWFLAKE_APPS_SERVICE_COMPUTE_POOL account parameters. Snowflake App Runtime services now always run on server-managed compute pools. Existing projects that set these fields in snowflake.yml continue to be honored by snow app deploy.
  • snow app setup --dry-run now exits with code 0 while still printing the same setup validation errors that a non-dry-run invocation surfaces.
  • snow app deploy now supports a separate service_eai field on snowflake-app entities for newly created application services. When service_eai isn’t set, deploy continues to fall back to build_eai for backward compatibility.
  • snow dbt deploy now preserves the original key order in profiles.yml instead of reordering keys alphabetically.
  • snow app setup and snow app deploy now resolve their Snowflake App Runtime defaults through the SYSTEM$GET_APPLICATION_SERVICE_DEFAULTS() system function, and automatically fall back to the previous SHOW PARAMETERS-based resolution on accounts where that function isn’t yet available.
  • Fixed snow app events and snow app setup --dry-run crashing on Windows with an uncaught UnicodeEncodeError when their output contained non-ASCII characters (for example, emoji, box-drawing characters, or accented text). The snow app commands now render output as UTF-8 instead of the platform default code page.

Version 3.21.0 (Jun 24, 2026)

New features and updates

  • Added a cli.encoding configuration section (and matching SNOWFLAKE_CLI_ENCODING_* environment variables) to control text encoding in three areas: file_io for reading and writing project files (such as SQL files and snowflake.yml), subprocess for decoding the output of external processes (such as Docker and pip), and stdout for encoding CLI output written to standard output. Setting all three to utf-8 ensures correct Unicode handling on Windows systems where the platform default encoding isn’t UTF-8. For more information, see Configuring Snowflake CLI.
  • Added the snow helpers detect-encoding command, which shows the encoding configuration for the current environment and flags any discrepancies that could corrupt files when sharing projects across platforms. Run it after an encoding warning to see the full details and recommended remediation steps.
  • Added the --no-prompt-exit-repl option (and matching configuration setting) to skip the exit confirmation prompt in the SQL REPL.
  • Added the --server-session-keep-alive global connection option (with the matching SNOWFLAKE_SERVER_SESSION_KEEP_ALIVE environment variable and server_session_keep_alive configuration key) that prevents Snowflake from closing idle sessions. This is useful for long-running operations or connections held open between multiple operations.

Bug fixes

  • Fixed REST API object operations (for example, snow object create) crashing with ModuleNotFoundError: No module named 'snowflake.connector.vendored' when running against the Snowflake Universal Driver (connector-python v5). HTTP error handling now works on both connector v4.x and the Universal Driver v5.
  • Renamed the --deploy-only option of snow app deploy to --promote-only. The previous --deploy-only name continues to work as a hidden alias for now, but this backward compatibility is temporary and will be removed soon.
  • The snow app setup --compute-pool option and the build_compute_pool and service_compute_pool fields of a snowflake-app entity are now hidden and undocumented (omitted from --help and from the generated project-definition JSON Schema). They remain fully functional: snow app setup and snow app deploy still honor the DEFAULT_SNOWFLAKE_APPS_BUILD_COMPUTE_POOL and DEFAULT_SNOWFLAKE_APPS_SERVICE_COMPUTE_POOL account parameters and any compute pools configured in snowflake.yml.
  • snow streamlit deploy --replace now uses ALTER STREAMLIT ... SET instead of CREATE OR REPLACE STREAMLIT when the app already exists, preserving existing grants and permissions on the object.
  • snow app setup and snow app deploy now default to a workspace (instead of a stage) for app code whenever the resolved destination is a personal database (USER$<user>), which doesn’t support stages. An explicitly configured code_stage is still honored, with a warning when the destination is a personal database.
  • snow app setup now honors the --warehouse, --database, and --schema connection options as explicit overrides for the generated snowflake.yml, taking precedence over account parameters and connection defaults. When you specify --database, you must also specify --schema.
  • The build_eai field of a snowflake-app entity can now be specified as a bare string (for example, build_eai: MY_EAI) in addition to the existing object form.
  • Fixed snow app commands (for example, snow app deploy and snow app validate) failing on Windows with a UnicodeDecodeError when snowflake.yml contained non-ASCII characters. The snow app command group now defaults to reading and writing snowflake.yml as UTF-8. An explicit cli.encoding.file_io setting still takes precedence.
  • Fixed snow app deploy failing on Windows, and failing when directory names contain glob metacharacters (for example, Next.js dynamic-route directories such as [id] or [...slug]), by escaping local file paths before they’re passed to PUT.
  • snow app deploy now drops and recreates the code stage before uploading (instead of clearing it with REMOVE), uploads app code one file at a time while preserving the directory structure, and uploads files in parallel (up to five at a time).
  • snow dcm commands now use the system temporary folder to bundle project files before uploading, rather than creating and then dropping an output project directory.
  • snow dbt no longer rejects valid --dbt-version values (for example, 2.0.0-preview.175) that don’t match a hard-coded client-side pattern. Versions are now validated against the server’s supported list.
  • Fixed snow app setup incorrectly treating system-default parameter values as admin-configured values after running ALTER ACCOUNT UNSET on the compute-pool account parameters.
  • Upgraded pip from 26.1.1 to 26.1.2.

Version 3.20.0 (Jun 08, 2026)

New features and updates

  • Added the --protocol option (with the matching SNOWFLAKE_PROTOCOL environment variable and protocol configuration key) to snow connection add and the global connection overrides. This option selects http or https as the connection protocol without editing config.toml, which is primarily useful for local development against http deployments.
  • Added the snow helpers generate-project-schema command to emit a JSON Schema for the snowflake.yml project definition file. The output follows JSON Schema Draft 2020-12 and can be used by editors (for example, VS Code with the YAML extension) or CI pipelines to get completion and to catch structural mistakes such as unknown keys, wrong types, and missing required fields before a deploy. Use the --definition-version option to select the project definition version (1, 1.1, or 2; the default is 2) and the --output-file (-o) option to write the schema to a file.

Bug fixes

  • Fixed TooManyFilesError during snow streamlit deploy when main_file is a descendant of a directory listed in artifacts.
  • Fixed snow sql table output rendering as a series of | characters when selecting many columns into a non-terminal destination, for example piped or redirected output.
  • Fixed get_account_identifier() and snow spcs service build-image to raise a clear, user-visible error when CURRENT_ORGANIZATION_NAME() or CURRENT_ACCOUNT_NAME() returns no row or a NULL value, instead of a cryptic TypeError or AttributeError.
  • snow dcm list-deployments and snow dcm drop-deployment now wrap the project name in IDENTIFIER(...), matching the other DCM subcommands. Fully qualified and quoted project names are now handled consistently.
  • snow app setup and snow app deploy now verify that the current role can deploy to the account-configured destination (the DEFAULT_SNOWFLAKE_APPS_DESTINATION_DATABASE and DEFAULT_SNOWFLAKE_APPS_DESTINATION_SCHEMA account defaults) before using it. When the role is missing the required privileges, the commands fall back to your personal database and print a warning that lists the missing grants.
  • Updated snowflake-connector-python to version 4.6.0.

Version 3.19.0 (May 26, 2026)

New features and updates

  • Added a --local-only option to snow sql (and the interactive REPL it launches) that restricts the !source and !load directives to local SQL files. When set, !source/!load directives that reference http:// or https:// URLs are rejected instead of being fetched. Local file paths are unaffected, and the restriction also applies transitively to nested !source directives reached from sourced files. Use this option in environments where SQL inputs should not trigger outbound network requests, or when running SQL files whose content should be reviewed locally before execution.

Version 3.18.0 (May 20, 2026)

New features and updates

  • Added the snow streamlit logs command to stream live logs from a Streamlit-in-Snowflake app running on the SPCSv2 container runtime. Supports --tail for historical lines, --name to target apps without a project definition, and honors the global --format option (plain, JSON, or CSV) for downstream piping.
  • Updated snowflake-connector-python to version 4.5.0.
  • Updated gitpython to version 3.1.50.
  • Upgraded pip to version 26.1.1.

Bug fixes

  • Fixed the macOS arm64 installer incorrectly requiring Rosetta 2. The Distribution.xml package metadata now declares hostArchitectures="arm64,x86_64", so the installer is recognized as native on Apple Silicon.
  • Fixed snow spcs service build-image on Azure accounts to work with stages that use the SNOWFLAKE_FULL encryption type.
  • Fixed Snowsight URL generation (used by snow streamlit deploy, snow streamlit get-url, snow app run, snow notebook, and similar commands) for accounts whose host is 4-part (for example, <account>.us-east-1.snowflakecomputing.com) or 5-part with a cloud suffix (for example, <account>.<region>.aws.snowflakecomputing.com). These hosts now resolve to the correct regioned Snowsight URL instead of raising a “host was missing or not in the expected format” error.
  • Fixed snow connection list crashing with AttributeError when config.toml contains a scalar value directly under [connections]. Such entries are now skipped with a warning so valid connections are still listed.
  • Fixed boolean connection parameters (client_store_temporary_credential, oauth_disable_pkce, oauth_enable_refresh_tokens, oauth_enable_single_use_refresh_tokens) being passed to the connector as raw strings when supplied via SNOWFLAKE_* or SNOWFLAKE_CONNECTIONS_<name>_* environment variables. Values like false and 0 are now correctly interpreted as False rather than truthy strings.
  • Closed several SQL injection paths and improved input handling across the CLI:
    • Fixed SQL injection in snow spcs service create, execute-job, and upgrade where a $$ sequence in a YAML spec file could break out of the dollar-quoted SQL literal.
    • Fixed SQL string literal escaping in SHOW ... LIKE patterns to use Snowflake’s standard single-quote doubling ('') instead of backslash escaping, which is not interpreted under the default STANDARD_ESCAPE_SEQUENCES=FALSE session setting.
    • Fixed SQL injection through FQN.sql_identifier (single quotes are now escaped).
    • Improved input handling in snow cortex complete and snow cortex translate.
    • Improved input handling in snow git setup, snow connection secret creation, and API integration creation.
    • Improved argument handling in SPCS service status and log commands.
    • Improved string handling in CREATE STREAMLIT SQL emitted by snow streamlit deploy and related commands.
    • Improved pattern handling for --like arguments to snow object show, snow git show, and snow spcs image-repository list-images.
  • Improved file and path handling across the CLI:
    • Improved file handling in the read_file_content and procedure_from_js_file Jinja filters used during SQL template rendering.
    • Improved path handling in the Snowpark annotation processor (nativeapp codegen snowpark).
    • Improved path handling for post-deploy sql_script hooks.
    • Improved file handling in artifact bundling for snow app and snow snowpark.
  • Improved the output of repr(ConnectionContext) and related debug logs to redact credentials.

Version 3.17.1 (May 12, 2026)

Bug fixes

  • Encrypted private key files no longer require PRIVATE_KEY_PASSPHRASE to be set in the environment. The passphrase can now be read from private_key_file_pwd (the name used by snowflake-connector-python) or private_key_passphrase in connections.toml or config.toml. The PRIVATE_KEY_PASSPHRASE environment variable continues to take precedence when set. This also fixes a regression in 3.17.0 where commands using key-pair authentication with private_key_passphrase in connections.toml failed with argument 'password': Cannot convert "<class 'str'>" instance to a buffer.

Version 3.17.0 (May 11, 2026)

New features and updates

  • The snow app command group now supports both Snowflake Native Apps (application and application package entities) and Snowflake Apps Deploy (snowflake-app entities). The entity type in snowflake.yml determines which flow is used, so shared subcommands such as bundle, deploy, validate, open, events, and teardown automatically select the correct behavior. The experimental hidden snow __app command group and the ENABLE_SNOWFLAKE_APPS feature flag have been removed.
  • Added the snow app setup command for initializing a snowflake.yml file for a Snowflake Apps Deploy project.
  • Added the snow connection generate-workload-identity-token command to generate a workload identity token for the current environment. Supports AWS, GCP, Azure, and OIDC providers via the --workload-identity-provider option or connection configuration.
  • Added the snow custom-image validate command to validate custom Docker images against configured rules (entrypoint, environment variables, Python packages, and dependency health). Supports an optional --scan-vulnerabilities flag to run Grype vulnerability scanning.
  • Added the snow dcm purge command to drop all the objects managed by the specified DCM Project. The project object itself is not dropped.
  • DCM manifest targets now validate the account_identifier and project_owner fields. The CLI checks these against the current session and prints a warning on mismatch: account_identifier is checked for all manifest-based commands, and project_owner is checked for snow dcm create.
  • Added the --secondary-roles option (and matching SNOWFLAKE_SECONDARY_ROLES environment variable and secondary_roles configuration key) to snow connection add and the global connection overrides. The value is forwarded to snowflake-connector-python and accepts ALL or NONE, so sessions can be pinned to the primary role without running USE SECONDARY ROLES.
  • Added the --force option to snow spcs service drop to allow dropping services that contain block storage volumes.
  • Significantly improved DCM file upload performance.
  • Updated snowflake-connector-python to version 4.4.0. The 4.x series introduced stricter permission checks. In future versions of Snowflake CLI, strict configuration file permissions will become mandatory. To test whether your files have the correct permissions, set SNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1 before running CLI commands.

Bug fixes

  • Fixed snow streamlit deploy failing with a collision error when a pages/*.py glob in additional_source_files overlaps with the automatically-included pages/ directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion.
  • Fixed the error message when the PRIVATE_KEY_PASSPHRASE environment variable is set to an empty string.
  • Fixed SELECT * output being corrupted when joined tables share column names. Duplicate column names are now disambiguated by appending a numeric suffix (for example, NAME, NAME_2).
  • Fixed snow connection generate-jwt and snow connection generate-workload-identity-token failing with Connection None is not configured when used with --temporary-connection.
  • Fixed duplicate LOGIN_HISTORY events (and OVERFLOW_FAILURE_EVENTS_ELIDED entries) previously emitted when a snow invocation was rejected by an authentication policy. The internal connection cache now remembers failed connect attempts and re-raises the original exception on subsequent accesses within the same process, instead of re-dialing Snowflake every time a command accesses the shared connection.
  • Fixed session/master token connections created from environment variables or named connection configuration not enabling token keep-alive settings. This could cause follow-up commands to fail with 251007: Session and master tokens invalid.

Version 3.16.0 (Mar 19, 2026)

New features and updates

  • Added support for DCM commands in preview.
  • Added the --in-account option to list commands (for example, snow object list, snow stage list). This option lists all objects of a given type in the account. Cannot be used together with the --in option.
  • Added the experimental command snow spcs service build-image to build container images using an SPCS service. The command uploads the local build context to a stage, executes a build job, and streams logs in real time until completion. This command is experimental and subject to change.
  • Added the --async option to the snow spcs service execute-job command to execute job services asynchronously without waiting for completion.
  • Added the --replicas option to the snow spcs service execute-job command to specify the number of job replicas to run.
  • Added the --dbt-version option to the snow dbt deploy and snow dbt execute commands. This option sets the dbt Core version on a dbt project object (snow dbt deploy command) or executes a dbt command on a specific dbt Core version without altering the dbt object (snow dbt execute commands).
  • All authenticators (including snowflake-jwt, username_password_mfa, and workload_identity) are now case-insensitive.
  • Changed how the fully qualified names for temporary stages are established for snow dbt deploy. The database and schema from the dbt project object’s fully qualified name now take precedence over those from the session.

Bug fixes

  • Fixed snow stage copy --recursive dropping database and schema qualifiers from fully qualified stage names, which caused the command to resolve stages against the connection’s default database instead of the one specified in the FQN.
  • Fixed snow streamlit deploy --prune failing with an incorrect stage path format for Streamlit entities using versioned deployment. The snow:// prefix is now correctly preserved through all stage path operations.
  • Fixed a bug with snow dbt deploy where the dbt project uploaded files first and updated project properties afterward. This could cause deploys to fail if, for example, the project lacked external access integrations and dependencies were specified.
  • Fixed the snow stage copy and snow stage put commands failing when a local directory path contains glob special characters (such as, square brackets in [id] or [slug]). The path is now escaped before glob expansion, so literal directory names are matched correctly.

Version 3.15.0 (Feb 03, 2026)

New features and updates

  • Added the --if-exists option to the snow object drop command and object-specific drop commands (for example, snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects.
  • Updated the project definition with supported Python versions aligned with snowflake-connector-python.

Bug fixes

  • Fixed git repository path parsing to allow quotes around both repository and branch names (such as @"example-repo"/branches/"feature/branch"/*).
  • Fixed external browser authentication (EXTERNALBROWSER) for headless systems.