A community-maintained Vault plugin for Snowflake that generates ephemeral Database User credentials via the HashiCorp Vault Database Secrets Engine.
Note: Community fork of hashicorp/vault-plugin-database-snowflake. Requires Vault 1.6+.
⚠️ Snowflake is deprecating password authentication after November 2025. Migrate service account connections and dynamic roles to key-pair auth before that date.
File issues at Snowflake-Labs/snowflake-vault/issues.
Four methods are supported. Set exactly one per connection config.
| Method | Field(s) | When to use |
|---|---|---|
| Key-pair | private_key |
Recommended default |
| WIF | workload_identity_provider |
Cloud-native environments (AWS/GCP/Azure/OIDC) |
| OAuth 2.0 | oauth_client_id + oauth_client_secret + oauth_token_endpoint |
External IdP |
| Password | password |
Deprecated — removed Nov 2025 |
Assign your public key to the Snowflake user first:
ALTER USER "VAULT-SERVICE-USER" SET RSA_PUBLIC_KEY='<base64-public-key>';vault write database/config/my-snowflake \
plugin_name=vault-plugin-database-snowflake \
connection_url="<account>.snowflakecomputing.com/<database>" \
username="VAULT-SERVICE-USER" \
private_key=@/path/to/rsa_key_pkcs8.pem \
allowed_roles="*"vault write database/config/my-snowflake \
plugin_name=vault-plugin-database-snowflake \
connection_url="<account>.snowflakecomputing.com/<database>" \
username="VAULT-SERVICE-USER" \
workload_identity_provider="AWS" \ # AWS | GCP | AZURE | OIDC
allowed_roles="*"OIDC requires an explicit token: workload_identity_token="<jwt>".
Azure supports an optional workload_identity_entra_resource="<url>".
vault write database/config/my-snowflake \
plugin_name=vault-plugin-database-snowflake \
connection_url="<account>.snowflakecomputing.com/<database>" \
username="VAULT-SERVICE-USER" \
oauth_client_id="<client-id>" \
oauth_client_secret="<client-secret>" \
oauth_token_endpoint="https://<your-idp>/oauth/token" \
oauth_scope="session:role:SYSADMIN" \ # optional
allowed_roles="*"Set credential_type on the role to control what Vault issues to callers.
| Type | Vault returns | Snowflake auth | Status |
|---|---|---|---|
rsa_private_key |
Private key | Key-pair | Recommended |
password |
Password | Password | Deprecated Nov 2025 |
Vault generates a fresh key pair per request. The public key is written to Snowflake at user creation; the private key is returned to the caller.
vault write database/roles/my-role \
db_name=my-snowflake \
credential_type=rsa_private_key \
creation_statements="CREATE USER {{name}} LOGIN_NAME='{{name}}' DEFAULT_ROLE='PUBLIC' RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY=1; GRANT ROLE PUBLIC TO USER {{name}};" \
default_ttl=1h \
max_ttl=24hvault read database/creds/my-role
# Key Value
# rsa_private_key ***REMOVED***...
# username v_token_my_role_xxxx_1234567890vault write database/roles/my-role \
db_name=my-snowflake \
creation_statements="CREATE USER {{name}} PASSWORD='{{password}}' LOGIN_NAME='{{name}}' DEFAULT_ROLE='PUBLIC' DAYS_TO_EXPIRY=1; GRANT ROLE PUBLIC TO USER {{name}};" \
default_ttl=1h \
max_ttl=24hSnowflake Cortex provides serverless LLM functions (COMPLETE, SUMMARIZE, SENTIMENT, TRANSLATE, EMBED_TEXT_*) and the Cortex CLI for AI-powered SQL and agent workflows.
Set cortex_access=true to automatically grant SNOWFLAKE.CORTEX_USER to every dynamic user created via this connection. This saves you from adding the grant to each role's creation_statements.
vault write database/config/my-snowflake \
plugin_name=vault-plugin-database-snowflake \
connection_url="<account>.snowflakecomputing.com/<database>" \
username="VAULT-SERVICE-USER" \
private_key=@/path/to/rsa_key_pkcs8.pem \
cortex_access=true \
allowed_roles="*"Use credential_type=rsa_private_key — key-pair is the recommended auth method for Cortex CLI and API integrations.
vault write database/roles/cortex-role \
db_name=my-snowflake \
credential_type=rsa_private_key \
creation_statements="
CREATE USER \"{{name}}\"
LOGIN_NAME='{{name}}'
RSA_PUBLIC_KEY='{{public_key}}'
DEFAULT_ROLE='PUBLIC'
DAYS_TO_EXPIRY={{expiration}}
COMMENT='Vault-managed Cortex user';
GRANT ROLE PUBLIC TO USER \"{{name}}\";
" \
default_ttl=8h \
max_ttl=24hThe
SNOWFLAKE.CORTEX_USERgrant is appended automatically becausecortex_access=true. You do not need to include it increation_statements.
# Retrieve a short-lived key pair
vault read database/creds/cortex-role
# Key Value
# rsa_private_key -----BEGIN RSA PRIVATE KEY-----...
# username v_token_cortex_role_xxxx_1234567890
# Save the private key and connect via Cortex CLI
vault read -field=rsa_private_key database/creds/cortex-role > /tmp/cortex_key.pem
snow cortex complete --query "Explain Snowflake clustering in one sentence" \
--user <username> \
--private-key-path /tmp/cortex_key.pemSnowflake Programmatic Access Tokens are Bearer tokens that work with the Cortex CLI and REST API. Unlike password/key-pair credentials, Snowflake generates the token secret — Vault cannot return a Snowflake-generated PAT via the database secrets engine.
This plugin ships PAT management helpers (pat.go) for use in companion tooling:
| Function | Description |
|---|---|
createPATForUser |
Issue a new PAT for an existing Snowflake user |
revokePATForUser |
Revoke a named PAT (e.g. on lease expiry) |
listPATsForUser |
List all PATs for a user (for audit/rotation) |
For full PAT lifecycle management integrated with Vault leases, see the companion PAT plugin.
A scripted configuration is available via make configure:
PLUGIN_NAME=vault-plugin-database-snowflake \
PLUGIN_DIR=$GOPATH/vault-plugins \
CONNECTION_URL=foo.snowflakecomputing.com/BAR \
PRIVATE_KEY=/path/to/private/key/file \
SNOWFLAKE_USERNAME=user1 \
make configureSet VAULT_ACC=1 and the following environment variables, then run make testacc.
| Variable | Description |
|---|---|
SNOWFLAKE_ACCOUNT |
Account identifier (e.g. ec#####.east-us-2.azure) |
SNOWFLAKE_USER |
ACCOUNTADMIN-level user for Vault |
SNOWFLAKE_PASSWORD |
Password (optional if using key-pair) |
SNOWFLAKE_PRIVATE_KEY |
Path to private key file |
SNOWFLAKE_DB |
optional |
SNOWFLAKE_SCHEMA |
optional |
SNOWFLAKE_WAREHOUSE |
optional |