Authenticate with Snowflake PKI
Snowflake allows you to use Public Key Infrastructure (PKI) authentication to secure communications and authenticate entities within its ecosystem.
PKI authentication can refer to JWT or key pair authentication. You'll need to follow the steps in this article to implement either of these.
Note: By November 2025, Snowflake will require token-based authentication.
As of 4.32.0: Enhanced Snowflake PKI authentication properties now support multiple configuration methods, including CLI arguments, environment variables, flow files, and JAVA_OPTS.
Before you begin
Set up key-pair authentication — You must generate keys for PKI authentication requires generating keys. Follow Snowflake's Configuring key-pair authentication instructions.
(If you are using an encrypted key) Set the following JAVA_OPTS variable. See How to configure Liquibase to connect to Snowflake using a Private Key for more information.
export JAVA_OPTS='-Dnet.snowflake.jdbc.enableBouncyCastle=true
Procedure
In the liquibase.properties file, add your private key information under the liquibase.snowflake.auth.type section.
Choose one of the configuration methods below based on your deployment environment.
Be sure to:
Set the auth type to
PKI.Set
your_pathto the path to your private key file (use absolute paths to avoid path resolution issues).Set
your_passphraseto the passphrase associated with your encrypted private key.
liquibase.snowflake.auth.type=PKI
liquibase.snowflake.auth.privateKeyPath=your_path
liquibase.snowflake.auth.privateKeyPassphrase=your_passphraseTest your configuration
Once you've configured PKI authentication, you can verify authentication with debug logging.
liquibase --log-level=DEBUG status 2>&1 | grep -i "snowflake\|auth\|pki\|key"[FINE] Found 'liquibase.snowflake.auth.type' configuration of 'PKI
[FINE] Found 'liquibase.snowflake.auth.privateKeyPath' configuration of 'your_path
[FINE] Found 'liquibase.snowflake.auth.privateKeyPassphrase' configuration of 'your_passphrase'
[INFO] Attempting PKI connection to Snowflake with URL: jdbc:snowflake://...
[FINE] Connected to username@jdbc:snowflake://...