Snowflake CLI release notes for 2026¶
This article contains the release notes for the Snowflake CLI, including the following when applicable:
- Behavior changes
- New features
- Customer-facing bug fixes
See Snowflake CLI for documentation.
Version 3.22.0 (Jul 07, 2026)¶
New features and updates¶
- Added a
tagsfield to the Streamlit entity so that you can set object tags withsnow streamlit deploy. config.tomlandconnections.tomlfiles with0644permissions (readable by group or others) now emit a warning instead of a hard error whenSF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION=trueorSKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION=trueis set, aligning with the behavior ofsnowflake-connector-python. Files that are writable by group or others remain a hard error regardless of the environment variable.
Bug fixes¶
snow app setupnow correctly preserves case-sensitive (double-quoted) identifiers in the generatedsnowflake.yml. Previously, values such as"lower_db"were silently stripped of their surrounding quotes, which caused Snowflake to uppercase the identifier and fail to locate the object.snow app setupno longer writesbuild_compute_poolorservice_compute_poolto the generatedsnowflake.yml, and no longer reads theDEFAULT_SNOWFLAKE_APPS_BUILD_COMPUTE_POOLorDEFAULT_SNOWFLAKE_APPS_SERVICE_COMPUTE_POOLaccount parameters. Snowflake App Runtime services now always run on server-managed compute pools. Existing projects that set these fields insnowflake.ymlcontinue to be honored bysnow app deploy.snow app setup --dry-runnow exits with code 0 while still printing the same setup validation errors that a non-dry-run invocation surfaces.snow app deploynow supports a separateservice_eaifield onsnowflake-appentities for newly created application services. Whenservice_eaiisn’t set, deploy continues to fall back tobuild_eaifor backward compatibility.snow dbt deploynow preserves the original key order inprofiles.ymlinstead of reordering keys alphabetically.snow app setupandsnow app deploynow resolve their Snowflake App Runtime defaults through theSYSTEM$GET_APPLICATION_SERVICE_DEFAULTS()system function, and automatically fall back to the previousSHOW PARAMETERS-based resolution on accounts where that function isn’t yet available.- Fixed
snow app eventsandsnow app setup --dry-runcrashing on Windows with an uncaughtUnicodeEncodeErrorwhen their output contained non-ASCII characters (for example, emoji, box-drawing characters, or accented text). Thesnow appcommands now render output as UTF-8 instead of the platform default code page.
Version 3.21.0 (Jun 24, 2026)¶
New features and updates¶
- Added a
cli.encodingconfiguration section (and matchingSNOWFLAKE_CLI_ENCODING_*environment variables) to control text encoding in three areas:file_iofor reading and writing project files (such as SQL files andsnowflake.yml),subprocessfor decoding the output of external processes (such as Docker and pip), andstdoutfor encoding CLI output written to standard output. Setting all three toutf-8ensures correct Unicode handling on Windows systems where the platform default encoding isn’t UTF-8. For more information, see Configuring Snowflake CLI. - Added the
snow helpers detect-encodingcommand, which shows the encoding configuration for the current environment and flags any discrepancies that could corrupt files when sharing projects across platforms. Run it after an encoding warning to see the full details and recommended remediation steps. - Added the
--no-prompt-exit-reploption (and matching configuration setting) to skip the exit confirmation prompt in the SQL REPL. - Added the
--server-session-keep-aliveglobal connection option (with the matchingSNOWFLAKE_SERVER_SESSION_KEEP_ALIVEenvironment variable andserver_session_keep_aliveconfiguration key) that prevents Snowflake from closing idle sessions. This is useful for long-running operations or connections held open between multiple operations.
Bug fixes¶
- Fixed REST API object operations (for example,
snow object create) crashing withModuleNotFoundError: No module named 'snowflake.connector.vendored'when running against the Snowflake Universal Driver (connector-python v5). HTTP error handling now works on both connector v4.x and the Universal Driver v5. - Renamed the
--deploy-onlyoption ofsnow app deployto--promote-only. The previous--deploy-onlyname continues to work as a hidden alias for now, but this backward compatibility is temporary and will be removed soon. - The
snow app setup --compute-pooloption and thebuild_compute_poolandservice_compute_poolfields of asnowflake-appentity are now hidden and undocumented (omitted from--helpand from the generated project-definition JSON Schema). They remain fully functional:snow app setupandsnow app deploystill honor theDEFAULT_SNOWFLAKE_APPS_BUILD_COMPUTE_POOLandDEFAULT_SNOWFLAKE_APPS_SERVICE_COMPUTE_POOLaccount parameters and any compute pools configured insnowflake.yml. snow streamlit deploy --replacenow usesALTER STREAMLIT ... SETinstead ofCREATE OR REPLACE STREAMLITwhen the app already exists, preserving existing grants and permissions on the object.snow app setupandsnow app deploynow default to a workspace (instead of a stage) for app code whenever the resolved destination is a personal database (USER$<user>), which doesn’t support stages. An explicitly configuredcode_stageis still honored, with a warning when the destination is a personal database.snow app setupnow honors the--warehouse,--database, and--schemaconnection options as explicit overrides for the generatedsnowflake.yml, taking precedence over account parameters and connection defaults. When you specify--database, you must also specify--schema.- The
build_eaifield of asnowflake-appentity can now be specified as a bare string (for example,build_eai: MY_EAI) in addition to the existing object form. - Fixed
snow appcommands (for example,snow app deployandsnow app validate) failing on Windows with aUnicodeDecodeErrorwhensnowflake.ymlcontained non-ASCII characters. Thesnow appcommand group now defaults to reading and writingsnowflake.ymlas UTF-8. An explicitcli.encoding.file_iosetting still takes precedence. - Fixed
snow app deployfailing on Windows, and failing when directory names contain glob metacharacters (for example, Next.js dynamic-route directories such as[id]or[...slug]), by escaping local file paths before they’re passed toPUT. snow app deploynow drops and recreates the code stage before uploading (instead of clearing it withREMOVE), uploads app code one file at a time while preserving the directory structure, and uploads files in parallel (up to five at a time).snow dcmcommands now use the system temporary folder to bundle project files before uploading, rather than creating and then dropping anoutputproject directory.snow dbtno longer rejects valid--dbt-versionvalues (for example,2.0.0-preview.175) that don’t match a hard-coded client-side pattern. Versions are now validated against the server’s supported list.- Fixed
snow app setupincorrectly treating system-default parameter values as admin-configured values after runningALTER ACCOUNT UNSETon the compute-pool account parameters. - Upgraded
pipfrom 26.1.1 to 26.1.2.
Version 3.20.0 (Jun 08, 2026)¶
New features and updates¶
- Added the
--protocoloption (with the matchingSNOWFLAKE_PROTOCOLenvironment variable andprotocolconfiguration key) tosnow connection addand the global connection overrides. This option selectshttporhttpsas the connection protocol without editingconfig.toml, which is primarily useful for local development againsthttpdeployments. - Added the
snow helpers generate-project-schemacommand to emit a JSON Schema for thesnowflake.ymlproject definition file. The output follows JSON Schema Draft 2020-12 and can be used by editors (for example, VS Code with the YAML extension) or CI pipelines to get completion and to catch structural mistakes such as unknown keys, wrong types, and missing required fields before a deploy. Use the--definition-versionoption to select the project definition version (1,1.1, or2; the default is2) and the--output-file(-o) option to write the schema to a file.
Bug fixes¶
- Fixed
TooManyFilesErrorduringsnow streamlit deploywhenmain_fileis a descendant of a directory listed inartifacts. - Fixed
snow sqltable output rendering as a series of|characters when selecting many columns into a non-terminal destination, for example piped or redirected output. - Fixed
get_account_identifier()andsnow spcs service build-imageto raise a clear, user-visible error whenCURRENT_ORGANIZATION_NAME()orCURRENT_ACCOUNT_NAME()returns no row or a NULL value, instead of a crypticTypeErrororAttributeError. snow dcm list-deploymentsandsnow dcm drop-deploymentnow wrap the project name inIDENTIFIER(...), matching the other DCM subcommands. Fully qualified and quoted project names are now handled consistently.snow app setupandsnow app deploynow verify that the current role can deploy to the account-configured destination (theDEFAULT_SNOWFLAKE_APPS_DESTINATION_DATABASEandDEFAULT_SNOWFLAKE_APPS_DESTINATION_SCHEMAaccount defaults) before using it. When the role is missing the required privileges, the commands fall back to your personal database and print a warning that lists the missing grants.- Updated
snowflake-connector-pythonto version 4.6.0.
Version 3.19.0 (May 26, 2026)¶
New features and updates¶
- Added a
--local-onlyoption tosnow sql(and the interactive REPL it launches) that restricts the!sourceand!loaddirectives to local SQL files. When set,!source/!loaddirectives that referencehttp://orhttps://URLs are rejected instead of being fetched. Local file paths are unaffected, and the restriction also applies transitively to nested!sourcedirectives reached from sourced files. Use this option in environments where SQL inputs should not trigger outbound network requests, or when running SQL files whose content should be reviewed locally before execution.
Version 3.18.0 (May 20, 2026)¶
New features and updates¶
- Added the
snow streamlit logscommand to stream live logs from a Streamlit-in-Snowflake app running on the SPCSv2 container runtime. Supports--tailfor historical lines,--nameto target apps without a project definition, and honors the global--formatoption (plain, JSON, or CSV) for downstream piping. - Updated
snowflake-connector-pythonto version 4.5.0. - Updated
gitpythonto version 3.1.50. - Upgraded
pipto version 26.1.1.
Bug fixes¶
- Fixed the macOS arm64 installer incorrectly requiring Rosetta 2. The
Distribution.xmlpackage metadata now declareshostArchitectures="arm64,x86_64", so the installer is recognized as native on Apple Silicon. - Fixed
snow spcs service build-imageon Azure accounts to work with stages that use theSNOWFLAKE_FULLencryption type. - Fixed Snowsight URL generation (used by
snow streamlit deploy,snow streamlit get-url,snow app run,snow notebook, and similar commands) for accounts whose host is 4-part (for example,<account>.us-east-1.snowflakecomputing.com) or 5-part with a cloud suffix (for example,<account>.<region>.aws.snowflakecomputing.com). These hosts now resolve to the correct regioned Snowsight URL instead of raising a “host was missing or not in the expected format” error. - Fixed
snow connection listcrashing withAttributeErrorwhenconfig.tomlcontains a scalar value directly under[connections]. Such entries are now skipped with a warning so valid connections are still listed. - Fixed boolean connection parameters (
client_store_temporary_credential,oauth_disable_pkce,oauth_enable_refresh_tokens,oauth_enable_single_use_refresh_tokens) being passed to the connector as raw strings when supplied viaSNOWFLAKE_*orSNOWFLAKE_CONNECTIONS_<name>_*environment variables. Values likefalseand0are now correctly interpreted asFalserather than truthy strings. - Closed several SQL injection paths and improved input handling across the CLI:
- Fixed SQL injection in
snow spcs service create,execute-job, andupgradewhere a$$sequence in a YAML spec file could break out of the dollar-quoted SQL literal. - Fixed SQL string literal escaping in
SHOW ... LIKEpatterns to use Snowflake’s standard single-quote doubling ('') instead of backslash escaping, which is not interpreted under the defaultSTANDARD_ESCAPE_SEQUENCES=FALSEsession setting. - Fixed SQL injection through
FQN.sql_identifier(single quotes are now escaped). - Improved input handling in
snow cortex completeandsnow cortex translate. - Improved input handling in
snow git setup,snow connectionsecret creation, and API integration creation. - Improved argument handling in SPCS service status and log commands.
- Improved string handling in
CREATE STREAMLITSQL emitted bysnow streamlit deployand related commands. - Improved pattern handling for
--likearguments tosnow object show,snow git show, andsnow spcs image-repository list-images.
- Fixed SQL injection in
- Improved file and path handling across the CLI:
- Improved file handling in the
read_file_contentandprocedure_from_js_fileJinja filters used during SQL template rendering. - Improved path handling in the Snowpark annotation processor (
nativeapp codegen snowpark). - Improved path handling for post-deploy
sql_scripthooks. - Improved file handling in artifact bundling for
snow appandsnow snowpark.
- Improved file handling in the
- Improved the output of
repr(ConnectionContext)and related debug logs to redact credentials.
Version 3.17.1 (May 12, 2026)¶
Bug fixes¶
- Encrypted private key files no longer require
PRIVATE_KEY_PASSPHRASEto be set in the environment. The passphrase can now be read fromprivate_key_file_pwd(the name used bysnowflake-connector-python) orprivate_key_passphraseinconnections.tomlorconfig.toml. ThePRIVATE_KEY_PASSPHRASEenvironment variable continues to take precedence when set. This also fixes a regression in 3.17.0 where commands using key-pair authentication withprivate_key_passphraseinconnections.tomlfailed withargument 'password': Cannot convert "<class 'str'>" instance to a buffer.
Version 3.17.0 (May 11, 2026)¶
New features and updates¶
- The
snow appcommand group now supports both Snowflake Native Apps (applicationandapplication packageentities) and Snowflake Apps Deploy (snowflake-appentities). The entity type insnowflake.ymldetermines which flow is used, so shared subcommands such asbundle,deploy,validate,open,events, andteardownautomatically select the correct behavior. The experimental hiddensnow __appcommand group and theENABLE_SNOWFLAKE_APPSfeature flag have been removed. - Added the
snow app setupcommand for initializing asnowflake.ymlfile for a Snowflake Apps Deploy project. - Added the
snow connection generate-workload-identity-tokencommand to generate a workload identity token for the current environment. Supports AWS, GCP, Azure, and OIDC providers via the--workload-identity-provideroption or connection configuration. - Added the
snow custom-image validatecommand to validate custom Docker images against configured rules (entrypoint, environment variables, Python packages, and dependency health). Supports an optional--scan-vulnerabilitiesflag to run Grype vulnerability scanning. - Added the
snow dcm purgecommand to drop all the objects managed by the specified DCM Project. The project object itself is not dropped. - DCM manifest targets now validate the
account_identifierandproject_ownerfields. The CLI checks these against the current session and prints a warning on mismatch:account_identifieris checked for all manifest-based commands, andproject_owneris checked forsnow dcm create. - Added the
--secondary-rolesoption (and matchingSNOWFLAKE_SECONDARY_ROLESenvironment variable andsecondary_rolesconfiguration key) tosnow connection addand the global connection overrides. The value is forwarded tosnowflake-connector-pythonand acceptsALLorNONE, so sessions can be pinned to the primary role without runningUSE SECONDARY ROLES. - Added the
--forceoption tosnow spcs service dropto allow dropping services that contain block storage volumes. - Significantly improved DCM file upload performance.
- Updated
snowflake-connector-pythonto version 4.4.0. The 4.x series introduced stricter permission checks. In future versions of Snowflake CLI, strict configuration file permissions will become mandatory. To test whether your files have the correct permissions, setSNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1before running CLI commands.
Bug fixes¶
- Fixed
snow streamlit deployfailing with a collision error when apages/*.pyglob inadditional_source_filesoverlaps with the automatically-includedpages/directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion. - Fixed the error message when the
PRIVATE_KEY_PASSPHRASEenvironment variable is set to an empty string. - Fixed
SELECT *output being corrupted when joined tables share column names. Duplicate column names are now disambiguated by appending a numeric suffix (for example,NAME,NAME_2). - Fixed
snow connection generate-jwtandsnow connection generate-workload-identity-tokenfailing withConnection None is not configuredwhen used with--temporary-connection. - Fixed duplicate
LOGIN_HISTORYevents (andOVERFLOW_FAILURE_EVENTS_ELIDEDentries) previously emitted when asnowinvocation was rejected by an authentication policy. The internal connection cache now remembers failed connect attempts and re-raises the original exception on subsequent accesses within the same process, instead of re-dialing Snowflake every time a command accesses the shared connection. - Fixed session/master token connections created from environment variables or named connection configuration not enabling token keep-alive settings. This could cause follow-up commands to fail with
251007: Session and master tokens invalid.
Version 3.16.0 (Mar 19, 2026)¶
New features and updates¶
- Added support for DCM commands in preview.
- Added the
--in-accountoption to list commands (for example,snow object list,snow stage list). This option lists all objects of a given type in the account. Cannot be used together with the--inoption. - Added the experimental command
snow spcs service build-imageto build container images using an SPCS service. The command uploads the local build context to a stage, executes a build job, and streams logs in real time until completion. This command is experimental and subject to change. - Added the
--asyncoption to thesnow spcs service execute-jobcommand to execute job services asynchronously without waiting for completion. - Added the
--replicasoption to thesnow spcs service execute-jobcommand to specify the number of job replicas to run. - Added the
--dbt-versionoption to thesnow dbt deployandsnow dbt executecommands. This option sets the dbt Core version on a dbt project object (snow dbt deploycommand) or executes a dbt command on a specific dbt Core version without altering the dbt object (snow dbt executecommands). - All authenticators (including
snowflake-jwt,username_password_mfa, andworkload_identity) are now case-insensitive. - Changed how the fully qualified names for temporary stages are established for
snow dbt deploy. The database and schema from the dbt project object’s fully qualified name now take precedence over those from the session.
Bug fixes¶
- Fixed
snow stage copy --recursivedropping database and schema qualifiers from fully qualified stage names, which caused the command to resolve stages against the connection’s default database instead of the one specified in the FQN. - Fixed
snow streamlit deploy --prunefailing with an incorrect stage path format for Streamlit entities using versioned deployment. Thesnow://prefix is now correctly preserved through all stage path operations. - Fixed a bug with
snow dbt deploywhere the dbt project uploaded files first and updated project properties afterward. This could cause deploys to fail if, for example, the project lacked external access integrations and dependencies were specified. - Fixed the
snow stage copyandsnow stage putcommands failing when a local directory path contains glob special characters (such as, square brackets in [id] or [slug]). The path is now escaped before glob expansion, so literal directory names are matched correctly.
Version 3.15.0 (Feb 03, 2026)¶
New features and updates¶
- Added the
--if-existsoption to thesnow object dropcommand and object-specific drop commands (for example,snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects. - Updated the project definition with supported Python versions aligned with
snowflake-connector-python.
Bug fixes¶
- Fixed git repository path parsing to allow quotes around both repository and branch names (such as
@"example-repo"/branches/"feature/branch"/*). - Fixed external browser authentication (
EXTERNALBROWSER) for headless systems.