Authenticate with Snowflake PKI

Snowflake allows you to use Public Key Infrastructure (PKI) authentication to secure communications and authenticate entities within its ecosystem.

PKI authentication can refer to JWT or key pair authentication. You'll need to follow the steps in this article to implement either of these.

Note: By November 2025, Snowflake will require token-based authentication.

As of 4.32.0: Enhanced Snowflake PKI authentication properties now support multiple configuration methods, including CLI arguments, environment variables, flow files, and JAVA_OPTS.

Before you begin

Connect Liquibase to Snowflake
Set up key-pair authentication — You must generate keys for PKI authentication requires generating keys. Follow Snowflake's Configuring key-pair authentication instructions.
(If you are using an encrypted key) Set the following JAVA_OPTS variable. See How to configure Liquibase to connect to Snowflake using a Private Key for more information. export JAVA_OPTS='-Dnet.snowflake.jdbc.enableBouncyCastle=true

Procedure

In the liquibase.properties file, add your private key information under the liquibase.snowflake.auth.type section.

Choose one of the configuration methods below based on your deployment environment.

Be sure to:

Set the auth type to PKI.
Set your_path to the path to your private key file (use absolute paths to avoid path resolution issues).
Set your_passphrase to the passphrase associated with your encrypted private key.

liquibase.snowflake.auth.type=PKI
liquibase.snowflake.auth.privateKeyPath=your_path
liquibase.snowflake.auth.privateKeyPassphrase=your_passphrase

liquibase.snowflake.auth.type=PKI
liquibase.snowflake.auth.privateKeyPath=your_path
liquibase.snowflake.auth.privateKeyPassphrase=your_passphrase

Test your configuration

Once you've configured PKI authentication, you can verify authentication with debug logging.

liquibase --log-level=DEBUG status 2>&1 | grep -i "snowflake\|auth\|pki\|key"

[FINE] Found 'liquibase.snowflake.auth.type' configuration of 'PKI [FINE] Found 'liquibase.snowflake.auth.privateKeyPath' configuration of 'your_path [FINE] Found 'liquibase.snowflake.auth.privateKeyPassphrase' configuration of 'your_passphrase' [INFO] Attempting PKI connection to Snowflake with URL: jdbc:snowflake://... [FINE] Connected to username@jdbc:snowflake://...