Workload identity federation¶
This document is for the following audiences:
Developers of in-house cloud services.
Administrators who manage integrations with internal and external services.
Developers of multi-tenant SaaS applications who want to issue OpenID Connect (OIDC) Federation ID tokens to individual workloads that are running on their platform so that each customer workload can authenticate to Snowflake as a dedicated user.
Workload identity federation is a service-to-service authentication method that lets workloads, such as applications, services, or containers, authenticate with Snowflake using their cloud provider’s native identity system, such as AWS Identity and Access Management (AWS IAM) roles, Microsoft Entra ID, and Google Cloud service accounts to get an attestation that Snowflake can use and validate.
Workload identity federation removes the need to manage and store long-lived credentials such as passwords, API keys, key pairs, and programmatic access tokens for authenticating to Snowflake. Workload identity federation also reduces the complexity involved in getting credentials, where other methods, such as External OAuth can require more effort to set up. Applications, services, and containers that use Snowflake connectors automatically get short-lived credentials from their platform’s identity provider (IdP) through each platform’s native mechanisms.
Benefits¶
This section describes why you may want to use workload identity federation for authentication:
Cost effective: Using existing IdPs to manage service identities reduces the need for additional tools or licenses, which can be cost-effective.
Interoperability: Popular cloud provider services, such as AWS IAM, Entra ID, and Google Cloud, support and encourage workload identity federation as an authentication method for external workloads.
Convenient auditing and monitoring:
Administrators can use existing cloud provider services, such as AWS CloudTrail and Azure Monitor, to log and monitor activity.
Snowflake administrators can query the LOGIN_HISTORY and CREDENTIALS views in the ACCOUNT_USAGE schema to monitor and audit services that use workload identity federation.
Workflow for implementing workload identity federation¶
You can use workload identity federation to authenticate a variety of workloads using different IdPs, but the basic workflow, as shown in the following steps, remains the same:
As a workload administrator, configure your service to use a native identity provider so that the provider can issue an attestation of your workload’s identity. This attestation is often, but not always, a JSON Web Token (JWT).
As a Snowflake administrator, create a Snowflake service user for your workload. You set the properties of this user to values found in the attestation sent by the provider. For example, a user property might specify the name of an IAM role or the issuer URL of the provider.
As a workload developer, configure your workload to use a Snowflake driver. Drivers send the attestation to Snowflake for verification.
To view end-to-end examples of this workflow for different types of workloads and IdPs, see Getting started.
Access control requirements¶
To configure workload identity federation for a Snowflake service user — that is, a user with their TYPE property set to SERVICE —
you must grant your activated roles one of the following privileges:
OWNERSHIP on the service user.
MODIFY PROGRAMMATIC AUTHENTICATION METHODS on the service user.
Supported Snowflake drivers¶
A workload uses a Snowflake driver to send an attestation when it connects to Snowflake. The following drivers support workload identity federation:
Driver |
Minimum version |
|---|---|
v1.16.0 |
|
v3.26.0 |
|
v4.8.0 |
|
v2.2.0 |
|
v3.11.0 |
|
v3.17.0 |
Hardening your security posture¶
You can use an authentication policy to control which Snowflake service users can authenticate with workload identity federation. You can also create and set the authentication policy so that a workload can authenticate only if it uses a specified identity provider, or an account within that provider.
For example, the following authentication policy allows a workload to authenticate only if it uses Microsoft Entra ID as its provider and the
issuer of the attestation is a Microsoft Entra ID tenant with tenant ID https://login.microsoftonline.com/9ebd1ec9-9a78-4429-8f53-5cf870a812d1/v2.0:
CREATE AUTHENTICATION POLICY workload_policy WORKLOAD_IDENTITY_POLICY=( ALLOWED_PROVIDERS = (AZURE) ALLOWED_AZURE_ISSUERS = ( 'https://login.microsoftonline.com/9ebd1ec9-9a78-4429-8f53-5cf870a812d1/v2.0') );
For more information about the WORKLOAD_IDENTITY_POLICY parameter, see CREATE AUTHENTICATION POLICY.
For more information about setting an authentication policy so it is enforced, see Setting an authentication policy on an account or user.
Getting started¶
Authenticate to Snowflake by using AWS IAM roles and a Snowflake Python driver¶
Configure AWS¶
To configure your AWS service to use AWS IAM as its identity provider, attach an IAM role. For more information, see the AWS documentation that corresponds to your workload.
For Amazon EC2, see Attach an IAM role to an instance.
For AWS Lambda, see Defining Lambda function permissions with an execution role.
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you must have the Amazon Resource Identifier (ARN) that uniquely identifies the AWS user or role associated with the instance authenticating to Snowflake. To obtain the ARN of a IAM role, complete the following steps:
Sign in to the AWS Console, and then navigate to the IAM Dashboard.
In the left-hand navigation, select Roles.
Select the name of the role that you attached to your AWS instance.
In the Summary section, find the ARN, and then select the Copy icon.
Snowflake accepts the following forms of IAM identifiers:
arn:aws:iam::account:user/user_name_with_path
arn:aws:iam::account:role/role_name_with_path
arn:aws:sts::account:assumed_role/role_name/role_session_name
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER <username> WORKLOAD_IDENTITY = ( TYPE = AWS ARN = '<amazon_resource_identifier>' ) TYPE = SERVICE DEFAULT_ROLE = PUBLIC;
Where
ARNis the value you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
import os import snowflake.connector conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='AWS' )
Run your Python application. It authenticates to Snowflake using workload identity federation.
Authenticate to Snowflake using Microsoft Entra ID and a Snowflake Python driver¶
Complete the steps in each section listed below to use workload identity federation to authenticate to Snowflake from Microsoft Entra ID:
Configure Microsoft Entra ID¶
A Microsoft Entra ID tenant administrator must complete the following steps to allow usage of Snowflake workload identity. These steps only need to be performed once per Microsoft Entra ID tenant:
Log into Microsoft Azure portal.
Ensure you have Azure tenant admin privileges.
Consent to installing the multi-tenant Snowflake EntraID app by visiting the consent URI.
The multi-tenant Snowflake EntraID app is publisher-verified, and represents Snowflake as a resource. The app is used as the audience for the access token when authenticating to Snowflake. This app only requires basic permissions and is non-privileged.
Select Accept to give permissions to the Snowflake EntraID app.
Configure Microsoft Azure¶
Complete the following steps to configure your Microsoft Azure service to use workload identity federation:
Log into Microsoft Azure portal.
Select your workload, such as a virtual machine or an app service.
In the sidebar, navigate to Security » Identity.
Enable a managed identity for an Azure VM or an Azure Function.
Save the Object (Principal) ID for a later step.
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you need the following information:
The case-sensitive Object ID (Principal ID) of the managed identity you enabled in the previous step. You can use the Azure Portal to copy this identifier from the Identity page for your Azure VM or function.
Your Microsoft Entra tenant ID. You use this value to construct the Authority URL.
To obtain the tenant ID by using the Microsoft Entra Console, see the How to find your Microsoft Entra tenant ID.
To obtain the tenant ID by using PowerShell, run the following commands:
Connect-AzAccount Get-AzTenant
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER <username> WORKLOAD_IDENTITY = ( TYPE = AZURE ISSUER = 'https://login.microsoftonline.com/<tenant_id>/v2.0' SUBJECT = '<managed_identity_object_id>' ) TYPE = SERVICE DEFAULT_ROLE = PUBLIC;
Where
ISSUERandSUBJECTare the values that you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
import snowflake.connector conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='AZURE' )
Run your Python application. It authenticates to Snowflake using workload identity federation.
Note
As the workload developer, you might need to set an environment variable related to the managed identity that your workload administrator enabled. If your administrator enabled a user-assigned managed identity rather than a system-assigned one, you must set the MANAGED_IDENTITY_CLIENT_ID environment variable to the client ID of the managed identity that you want to use for authenticating to Snowflake.
Authenticate to Snowflake by using Google Cloud and a Snowflake Python driver¶
Configure Google Cloud¶
To configure your service to use Google Cloud as its identity provider, attach a service account to your GCE or Cloud Run instance.
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you must have the value of the service account’s uniqueId property. To obtain this unique ID,
use the Google Cloud CLI to run the following command:
gcloud iam service-accounts describe "<SERVICE_ACCOUNT_EMAIL_ADDRESS>" --format="value(uniqueId)"
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER <username> WORKLOAD_IDENTITY = ( TYPE = GCP SUBJECT = '<unique_id_of_service_account>' ) TYPE = SERVICE DEFAULT_ROLE = PUBLIC;
Where
SUBJECTis the value that you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
import snowflake.connector conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='GCP' )
Run your Python application. It authenticates to Snowflake using workload identity federation.
Authenticate to Snowflake using OpenID Connect (OIDC) issuer from Elastic Kubernetes Service (EKS)¶
Complete the steps in each section listed below to use workload identity federation to authenticate to Snowflake from Elastic Kubernetes Service (EKS):
Configure EKS¶
Configure EKS to issue ID tokens that are compatible with Snowflake.
Configure your pod deployment YAML to include a projected ServiceAccount token volume.
Configure the ID tokens to contain an audience claim with
snowflakecomputing.com.The following is an example of a YAML configuration with the proper audience:
kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: snowflake-token serviceAccountName: build-robot volumes: - name: snowflake-token projected: sources: - serviceAccountToken: path: snowflake-token expirationSeconds: 7200 audience: snowflakecomputing.com
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you need the following information:
The issuer URL of the OIDC provider that is generating the ID token for the Kubernetes service account. To obtain this issuer URL, you can perform either of the following tasks:
Navigate to the Overview tab of your cluster, and copy the value in the OpenID Connect provider URL field.
Run the following command with access to the API server endpoint:
aws eks describe-cluster --name <cluster_name> --query "cluster.identity.oidc.issuer" --output text
The namespace and name of the Kubernetes service account. You use this information to construct the subject of the ID token issued by the OIDC provider.
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER my_eks_service WORKLOAD_IDENTITY = ( TYPE = OIDC ISSUER = 'https://oidc.eks.<region>.amazonaws.com/id/<issuer_id>' SUBJECT = 'system:serviceaccount:<service_account_namespace>:<service_account_name>' ) TYPE = SERVICE;
Where
ISSUERandSUBJECTare the values that you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='OIDC', token_file_path='<service_account_token_path>' )
Where
service_account_token_pathis the one you created in the Configure EKS step. Based on the YAML example in that step, the token path would be/var/run/secrets/tokens/snowflake-token.Run your Python application. It authenticates to Snowflake using workload identity federation.
Authenticate to Snowflake using an OpenID Connect (OIDC) issuer from Azure Kubernetes Service (AKS)¶
Complete the steps in each section listed below to use workload identity federation to authenticate to Snowflake from Azure Kubernetes Service (AKS):
Configure AKS¶
Configure AKS to issue ID tokens that are compatible with Snowflake:
Configure AKS to issue ID tokens that are compatible with Snowflake.
Configure your pod deployment YAML to include a projected ServiceAccount token volume.
Configure the ID tokens to contain an audience claim with
snowflakecomputing.com.The following is an example of a YAML configuration with the proper audience:
kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: snowflake-token serviceAccountName: build-robot volumes: - name: snowflake-token projected: sources: - serviceAccountToken: path: snowflake-token expirationSeconds: 7200 audience: snowflakecomputing.com
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you need the following information:
The issuer URL of the OIDC provider that is generating the ID token for the Kubernetes service account. To obtain this issuer URL, see the Microsoft documentation
The namespace and name of the Kubernetes service account. You use this information to construct the subject of the ID token issued by the OIDC provider.
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER my_aks_service WORKLOAD_IDENTITY = ( TYPE = OIDC ISSUER = 'https://<region>.oic.prod-aks.azure.com/<tenant_id>/<uuid>/' SUBJECT = 'system:serviceaccount:<service_account_namespace>:<service_account_name>' ) TYPE = SERVICE;
Where
ISSUERandSUBJECTare the values that you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='OIDC', token_file_path='<service_account_token_path>' )
Where
service_account_token_pathis the one you created in the Configure AKS step. Based on the YAML example in that step, the token path would be/var/run/secrets/tokens/snowflake-token.Run your Python application. It authenticates to Snowflake using workload identity federation.
Authenticate to Snowflake using an OpenID Connect (OIDC) issuer from Google Kubernetes Engine (GKE)¶
Complete the steps in each section listed below to use workload identity federation to authenticate to Snowflake from Google Kubernetes Engine (GKE):
Configure GKE¶
Configure GKE to issue ID tokens that are compatible with Snowflake.
Configure your pod deployment YAML to include a projected ServiceAccount token volume.
Configure the ID tokens to contain an audience claim with
snowflakecomputing.com.The following is an example of a YAML configuration with the proper audience:
kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: snowflake-token serviceAccountName: build-robot volumes: - name: snowflake-token projected: sources: - serviceAccountToken: path: snowflake-token expirationSeconds: 7200 audience: snowflakecomputing.com
Configure Snowflake¶
To configure Snowflake, create a Snowflake service user — that is, a user of type SERVICE — that uses workload identity federation
to authenticate with Snowflake.
Before you begin
To successfully configure Snowflake, you need the following information:
The Google Cloud project ID, region of the cluster, and cluster name. You use this information to construct the OIDC issuer.
The namespace and name of the Kubernetes service account. You use this information to construct the subject of the ID token issued by the OIDC provider.
To create a service user for your workload:
Sign in to Snowsight.
To open the list of worksheets, select Projects » Worksheets.
To open a new SQL worksheet, select +.
To create a service user that uses workload identity federation to authenticate with Snowflake, run a CREATE USER statement in the worksheet:
CREATE USER my_gke_service WORKLOAD_IDENTITY = ( TYPE = OIDC ISSUER = 'https://container.googleapis.com/v1/projects/<project_id>/locations/<region>/clusters/<cluster_name>' SUBJECT = 'system:serviceaccount:<service_account_namespace>:<service_account_name>' ) TYPE = SERVICE;
Where
ISSUERandSUBJECTare the values that you obtained before starting these steps.
Configure your workload to use a Snowflake driver¶
Note
You can configure your workload to use any Snowflake driver that supports workload identity federation. For the complete list, see Supported Snowflake drivers.
If your workload needs a Python driver, complete the following steps:
In your Python application code, add the following source code:
conn = snowflake.connector.connect( account='<snowflake_account>', authenticator='WORKLOAD_IDENTITY', workload_identity_provider='OIDC', token_file_path='<service_account_token_path>' )
Where
service_account_token_pathis the one you created in the Configure GKE step. Based on the YAML example in that step, the token path would be/var/run/secrets/tokens/snowflake-token.Run your Python application. It authenticates to Snowflake using workload identity federation.
Limitations and considerations¶
The discovery and JWK endpoints of an OIDC provider must be publicly accessible.
Azure workloads can’t be located in Azure sovereign clouds, such as Azure China and Azure US Gov. This limitation isn’t related to the Snowflake region of your account.