Skip to content

Releases: snowflakedb/snowflake-connector-python

4.7.1

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 15 Jul 16:16
af8c392
  • v4.7.1(Jul 15,2026)
    • Added support for Python 3.14t (free-threaded).
      • Note: Python 3.14t CI testing excludes win_arm64 (no cryptography wheels available) and mitmproxy proxy tests on all platforms (transitive dependencies aioquic/pylsqpack lack free-threaded-compatible wheels).
    • Improved verification of TLS connections (SNOW-3675579).
    • Fixed python-connector.log not rotating on Windows, and every record being logged twice, when easy logging is enabled via config.toml (SNOW-3680325).
      • Note: As part of this fix, easy logging no longer calls logging.basicConfig() and therefore no longer configures the root logger. python-connector.log now captures only the snowflake.connector, botocore, and boto3.
    • Improved URL validation reliability by replacing the hand-rolled regex in is_valid_url() with urllib.parse.urlparse (SNOW-3392651).
    • Fixed OAuth infinite loop when tokens expire by ensuring reauthenticate() calls _request_tokens() directly instead of looping through prepare(). Token cache is now read exactly once per connection, and _store_tokens() preserves macOS Keychain ACL by never calling remove(). The async OAuth reauthenticate() now runs the synchronous OAuth flow on a worker thread instead of blocking the event loop.
    • Fixed OAuth scope handling for Snowflake custom OAuth: when refresh tokens are enabled, the connector no longer appends the OIDC offline_access scope for token endpoints on *.snowflakecomputing.com or *.snowflakecomputing.cn, which caused invalid_scope errors. Snowflake custom OAuth expects refresh_token in scope instead. External IdP behavior is unchanged.
    • Fixed input validation for scale metadata in Arrow result set processing for TIME, TIMESTAMP_NTZ, TIMESTAMP_LTZ, and TIMESTAMP_TZ columns (SNOW-3388299).
    • Fixed S3 storage client to correctly handle 307/308 (method-preserving) and 301/302 (GET/HEAD only) redirects by disabling automatic redirect following and re-signing each request with AWS SigV4 credentials for the redirect target. The region is updated from the x-amz-bucket-region response header on each redirect. Redirects are capped at 5 hops.
    • Added native AKS (Azure Kubernetes Service) workload identity support. When running on AKS with workload identity configured, the connector automatically uses WorkloadIdentityCredential to authenticate via the injected service account credentials. OIDC backward compatibility is also supported.
    • Added the workload_identity_aws_use_outbound_token connection option (default false) to opt into AWS WIF JWT attestation via STS GetWebIdentityToken instead of the default SigV4 GetCallerIdentity method.
    • Fixed a bug where a fully-qualified DDL statement (e.g. CREATE VIEW db.schema.obj) on a session with no current schema would populate the connector's cached _schema/_database from the referenced object's namespace. This made get_current_schema() diverge from the server's CURRENT_SCHEMA() and mis-qualified Snowpark temp objects (SNOW-3665226).

3.18.1

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 15 Jul 16:20
  • v3.18.1(July 15,2026)

    • Improved verification of TLS connections (SNOW-3675579).
    • Fixed FIPS environments md5 hash issues with multipart upload on Azure.
    • Fixed a bug where Azure GET commands would incorrectly set the file status to UPLOADED instead of preserving the DOWNLOADED status during metadata retrieval.
  • v3.18.0(October 03,2025)

    • Added support for pandas conversion for Day-time and Year-Month Interval types
  • v3.17.4(September 22,2025)

    • Added support for intermediate certificates as roots when they are stored in the trust store
    • Bumped up vendored urllib3 to 2.5.0 and requests to v2.32.5
  • v3.17.3(September 02,2025)

    • Enhanced configuration file permission warning messages.
      • Improved warning messages for readable permission issues to include clear instructions on how to skip warnings using the SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE environment variable.
    • Fixed the bug with staging pandas dataframes on AWS - the regional endpoint is used when required
      • This addresses the issue with create_dataframe call on Snowpark
  • v3.17.2(August 23,2025)

    • Fixed a bug where platform_detection was retrying failed requests with warnings to non-existent endpoints.
    • Added disabling endpoint-based platform detection by setting platform_detection_timeout_seconds to zero.
  • v3.17.1(August 17,2025)

    • Added infer_schema parameter to write_pandas to perform schema inference on the passed data.
    • Namespace snowlake reverted back to non-module.
  • v3.17.0(August 16,2025)

    • Added in-band HTTP exception telemetry.
    • Added an unsafe_skip_file_permissions_check flag to skip file permission checks on the cache and configuration.
    • Added APPLICATION_PATH within CLIENT_ENVIRONMENT to distinguish between multiple scripts using the Python Connector in the same environment.
    • Added basic JSON support for Interval types.
    • Added in-band OCSP exception telemetry.
    • Added support for new authentication methods with Workload Identity Federation (WIF).
      • Added the WORKLOAD_IDENTITY value for the authenticator type.
      • Added the workload_identity_provider and workload_identity_entra_resource parameters.
    • Added support for the use_vectorized_scanner parameter in the write_pandas function.
    • Added support of proxy setup using connection parameters without emitting environment variables.
    • Added populating of type_code in ResultMetadata for interval types.
    • Introduced the snowflake_version property to the connection.
    • Moved OAUTH_TYPE to CLIENT_ENVIROMENT.
    • Relaxed the pyarrow version constrain; versions >= 19 can now be used.
    • Disabled token caching for OAuth Client Credentials authentication.
    • Fixed OAuth authenticator values.
    • Fixed a bug where a PAT with an external session authenticator was used while external_session_id was not provided in SnowflakeRestful.fetch.
    • Fixed the case-sensitivity of Oauth and programmatic_access_token authenticator values.
    • Fixed unclear error messages for incorrect authenticator values.
    • Fixed GCS staging by ensuring the endpoint has a scheme.
    • Fixed a bug where time-zoned timestamps fetched as a pandas.DataFrame or pyarrow.Table would overflow due to unnecessary precision. A clear error will now be raised if an overflow cannot be prevented.
  • v3.16.0(July 04,2025)

    • Bumped numpy dependency from <2.1.0 to <=2.2.4.
    • Added Windows support for Python 3.13.
    • Added bulk_upload_chunks parameter to write_pandas function. Setting this parameter to True changes the behaviour of write_pandas function to first write all the data chunks to the local disk and then perform the wildcard upload of the chunks folder to the stage. In default behaviour the chunks are being saved, uploaded and deleted one by one.
    • Added support for new authentication mechanism PAT with external session ID.
    • Added client_fetch_use_mp parameter that enables multiprocessed fetching of result batches.
    • Added basic arrow support for Interval types.
    • Fixed write_pandas special characters usage in the location name.
    • Fixed usage of use_virtual_url when building the location for gcs storage client.
    • Added support for Snowflake OAuth for local applications.
  • v3.15.0(Apr 29,2025)

    • Bumped up min boto and botocore version to 1.24.
    • OCSP: terminate certificates chain traversal if a trusted certificate already reached.
    • Added new authentication methods support for programmatic access tokens (PATs), OAuth 2.0 Authorization Code Flow, OAuth 2.0 Client Credentials Flow, and OAuth Token caching.
      • For OAuth 2.0 Authorization Code Flow:
        • Added the oauth_client_id, oauth_client_secret, oauth_authorization_url, oauth_token_request_url, oauth_redirect_uri, oauth_scope, oauth_disable_pkce, oauth_enable_refresh_tokens and oauth_enable_single_use_refresh_tokens parameters.
        • Added the OAUTH_AUTHORIZATION_CODE value for the parameter authenticator.
      • For OAuth 2.0 Client Credentials Flow:
        • Added the oauth_client_id, oauth_client_secret, oauth_token_request_url, and oauth_scope parameters.
        • Added the OAUTH_CLIENT_CREDENTIALS value for the parameter authenticator.
      • For OAuth Token caching: Passing a username to driver configuration is required, and the client_store_temporary_credential property is to be set to true.
  • v3.14.1(April 21, 2025)

    • Added support for Python 3.13.
      • NOTE: Windows 64 support is still experimental and should not yet be used for production environments.
    • Dropped support for Python 3.8.
    • Added basic decimal floating-point type support.
    • Added experimental authentication methods.
    • Added support of GCS regional endpoints.
    • Added support of GCS virtual urls. See more: https://cloud.google.com/storage/docs/request-endpoints#xml-api
    • Added client_fetch_threads experimental parameter to better utilize threads for fetching query results.
    • Added check_arrow_conversion_error_on_every_column connection property that can be set to False to restore previous behaviour in which driver will ignore errors until it occurs in the last column. This flag's purpose is to unblock workflows that may be impacted by the bugfix and will be removed in later releases.
    • Lowered log levels from info to debug for some of the messages to make the output easier to follow.
    • Allowed the connector to inherit a UUID4 generated upstream, provided in statement parameters (field: requestId), rather than automatically generate a UUID4 to use for the HTTP Request ID.
    • Improved logging in urllib3, boto3, botocore - assured data masking even after migration to the external owned library in the future.
    • Improved error message for client-side query cancellations due to timeouts.
    • Improved security and robustness for the temporary credentials cache storage.
    • Fixed a bug that caused driver to fail silently on TO_DATE arrow to python conversion when invalid date was followed by the correct one.
    • Fixed expired S3 credentials update and increment retry when expired credentials are found.
    • Deprecated insecure_mode connection property and replaced it with disable_ocsp_checks with the same behavior as the former property.
  • v3.14.0(March 03, 2025)

    • Bumped pyOpenSSL dependency upper boundary from <25.0.0 to <26.0.0.
    • Added a <19.0.0 pin to pyarrow as a workaround to a bug affecting Azure Batch.
    • Optimized distribution package lookup to speed up import.
    • Fixed a bug where privatelink OCSP Cache url could not be determined if privatelink account name was specified in uppercase.
    • Added support for iceberg tables to write_pandas.
    • Fixed base64 encoded private key tests.
    • Fixed a bug where file permission check happened on Windows.
    • Added support for File types.
    • Added unsafe_file_write connection parameter that restores the previous behaviour of saving files downloaded with GET with 644 permissions.
  • v3.13.2(January 29, 2025)

    • Changed not to use scoped temporary objects.
  • v3.13.1(January 29, 2025)

    • Remedied SQL injection vulnerability in snowflake.connector.pandas_tools.write_pandas. See more GHSA-2vpq-fh52-j3wv
    • Remedied vulnerability in deserialization of the OCSP response cache. See more: GHSA-m4f6-vcj4-w5mx
    • Remedied vulnerability connected to cache files permissions. See more: GHSA-r2x6-cjg7-8r43
  • v3.13.0(January 23,2025)

    • Added a feature to limit the sizes of IO-bound ThreadPoolExecutors during PUT and GET commands.
    • Updated README.md to include instructions on how to verify package signatures using cosign.
    • Updated the log level for cursor's chunk rowcount from INFO to DEBUG.
    • Added a feature to verify if the connection is still good enough to send queries over.
    • Added support for base64-encoded DER private key strings in the private_key authentication type.
  • v3.12.4(December 3,2024)

    • Fixed a bug where multipart uploads to Azure would be missing their MD5 hashes.
    • Fixed a bug where OpenTelemetry header injection would sometimes cause Exceptions to be thrown.
    • Fixed a bug where OCSP checks would throw TypeError and make mainly GCP blob storage unreachable.
    • Bumped pyOpenSSL dependency from >=16.2.0,<25.0.0 to >=22.0.0,<25.0.0.
  • v3.12.3(October 25,2024)

    • Improved the error message for SSL-related issues to provide clearer guidance when an SSL error occurs.
    • Improved error message for SQL execution cancellations caused by timeout.
  • v3.12.2(September 11,2024)

    • Improved error handling for asynchronous queries, providing more detailed and informative error messages when an async query fails.
    • Improved inference of top-lev...
Read more

4.7.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 02 Jul 13:13
9766894
  • v4.7.0(Jul 2,2026)
    • Fixed python-connector.log not rotating on Windows, and every record being logged twice, when easy logging is enabled via config.toml (SNOW-3680325).
      • Note: As part of this fix, easy logging no longer calls logging.basicConfig() and therefore no longer configures the root logger. python-connector.log now captures only the snowflake.connector, botocore, and boto3.
    • Improved URL validation reliability by replacing the hand-rolled regex in is_valid_url() with urllib.parse.urlparse (SNOW-3392651).
    • Fixed OAuth infinite loop when tokens expire by ensuring reauthenticate() calls _request_tokens() directly instead of looping through prepare(). Token cache is now read exactly once per connection, and _store_tokens() preserves macOS Keychain ACL by never calling remove(). The async OAuth reauthenticate() now runs the synchronous OAuth flow on a worker thread instead of blocking the event loop.
    • Fixed OAuth scope handling for Snowflake custom OAuth: when refresh tokens are enabled, the connector no longer appends the OIDC offline_access scope for token endpoints on *.snowflakecomputing.com or *.snowflakecomputing.cn, which caused invalid_scope errors. Snowflake custom OAuth expects refresh_token in scope instead. External IdP behavior is unchanged.
    • Fixed input validation for scale metadata in Arrow result set processing for TIME, TIMESTAMP_NTZ, TIMESTAMP_LTZ, and TIMESTAMP_TZ columns (SNOW-3388299).
    • Removed pandas upper bound dependency constraint on the [pandas] extra to allow installation of pandas 3.0.0 and later.
    • Fixed S3 storage client to correctly handle 307/308 (method-preserving) and 301/302 (GET/HEAD only) redirects by disabling automatic redirect following and re-signing each request with AWS SigV4 credentials for the redirect target. The region is updated from the x-amz-bucket-region response header on each redirect. Redirects are capped at 5 hops.
    • Added native AKS (Azure Kubernetes Service) workload identity support. When running on AKS with workload identity configured, the connector automatically uses WorkloadIdentityCredential to authenticate via the injected service account credentials. OIDC backward compatibility is also supported.
    • Added the workload_identity_aws_use_outbound_token connection option (default false) to opt into AWS WIF JWT attestation via STS GetWebIdentityToken instead of the default SigV4 GetCallerIdentity method.
    • Fixed a bug where a fully-qualified DDL statement (e.g. CREATE VIEW db.schema.obj) on a session with no current schema would populate the connector's cached _schema/_database from the referenced object's namespace. This made get_current_schema() diverge from the server's CURRENT_SCHEMA() and mis-qualified Snowpark temp objects (SNOW-3665226).

4.6.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 28 May 12:56
9f72374
  • v4.6.0(May 28,2026)
    • Dropped support for Python 3.9. The minimum supported version is now Python 3.10.
    • Fixed sdist to only install the minicore binary matching the current platform (SNOW-3526469). Previous 4.x releases copied every platform's minicore .so/.dylib/.dll into the install prefix, breaking downstream packagers (e.g. Homebrew) whose audits reject foreign-arch binaries.
    • Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (account_provided, account_with_region, account_org_provided, region_provided, host_provided). No hostname or account value is included. This is gated by the existing server-side CLIENT_TELEMETRY_ENABLED parameter and can additionally be disabled locally by setting SF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release.
    • Bumped up vendored urllib3 to 2.7.0

4.5.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 12 May 11:26
c2b2ba7
  • v4.5.0(May 12,2026)
    • Fixed write_pandas temp stage name collisions (SNOW-3481510). The old PRNG could produce identical name sequences in forked processes (e.g. Notebook kernels), causing CREATE TEMPORARY STAGE to fail with "Object already exists".
    • Fixed a security bug in Okta SAML authentication where _is_prefix_equal() compared url1's port against itself instead of url2's port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to use int instead of str for correct comparison when one URL omits the port.
    • Fixed executemany with paramstyle="pyformat" to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behaviour with nested function calls such as SQLAlchemy @compiles VARIANT patterns (e.g. PARSE_JSON(%(col)s)) and subquery-form INSERTs (SNOW-298756).
    • Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
    • Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
    • Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
    • Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN environment variable to true. Note: This environment variable will be removed in a future release.
    • Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files (SNOW-2439940). The SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable is now a no-op.
    • Updated SPCS token injection to gate on SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable, trim whitespace, and remove configurable token path.
    • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address, so it works on IPv6-only GCP VMs.
    • Fixed a bug where write_pandas() with auto_create_table=False and overwrite=True would execute CREATE TABLE IF NOT EXISTS, which required unnecessary OWNERSHIP privilege on the table. Now only TRUNCATE TABLE is executed in this case. Note: users who relied on the table being implicitly created despite auto_create_table=False should set auto_create_table=True instead.
    • Added validation of the account connection parameter so malformed identifiers (for example path-like values or labels outside letters, digits, _, and -) are rejected with ProgrammingError before login (SNOW-1902886).
    • Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.

4.4.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 25 Mar 23:26
2b59c8a
  • v4.4.0(March 24,2026)
    • Bump the lower boundary of cryptography to 46.0.5 due to CVE-2026-26007.
    • Added support for Python 3.14.
    • Removed pyOpenSSL upper bound dependency constraint to allow installation of pyOpenSSL 26.0.0+, which includes a fix for GHSA-vp96-hxj8-p424.
    • Fixed Azure IMDS Metadata header to use lowercase "true" instead of "True", which caused 400 errors during Azure Workload Identity Federation authentication.
    • Fixed default crl_download_max_size to be 20MB instead of 200MB, as the previous value was set too high and could cause out-of-memory issues.
    • Fixed a bug where Azure GET commands would incorrectly set the file status to UPLOADED instead of preserving the DOWNLOADED status during metadata retrieval.
    • Renamed the environment variable for skipping config file permission warnings from SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE to SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. The old variable is still supported but emits a deprecation warning.
    • Fixed unsafe_skip_file_permissions_check flag not being respected when reading connections.toml.
    • Fixed JSONDecodeError in result_batch._load() when fetching large result sets

4.3.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 12 Feb 10:38
9aa5e28
  • v4.3.0(February 12,2026)
    • Ensured proper list conversion - the converter runs to_snowflake on all list elements.
    • Made the parameter server_session_keep_alive in SnowflakeConnection skip checking for pending async queries, providing faster connection close times especially when many async queries are executed.
    • Fix string representation of INTERVAL YEAR and INTERVAL MONTH types.
    • Log a warning when using http protocol for OAuth urls.
    • Deprecated support for custom revocation error classes in OCSP response cache deserialization. By default, only RevocationCheckError exceptions are deserialized from OCSP cache. Custom exception classes can be temporarily enabled by setting the SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable to true or 1, but this support will be removed in a future release.
    • Bumped up vendored urllib3 to 2.6.3
    • Added force_microseconds_precision to cursor.fetch_arrow_all and cursor.fetch_pandas_all to avoid PyArrow schema incosistency between batches.

4.2.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 07 Jan 16:38
aaa2148
  • v4.2.0(January 07,2026)
    • Added SnowflakeCursor.stats property to expose granular DML statistics (rows inserted, deleted, updated, and duplicates) for operations like CTAS where rowcount is insufficient.
    • Added support for injecting SPCS service identifier token (SPCS_TOKEN) into login requests when present in SPCS containers.
    • Introduced shared library for extended telemetry to identify and prepare testing platform for native rust extensions.

4.1.1

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 02 Dec 15:37
1b597be
  • v4.1.1(TBD)
    • Relaxed pandas dependency requirements for Python below 3.12.
    • Changed CRL cache cleanup background task to daemon to avoid blocking main thread.
    • Fixed NO_PROXY issues with PUT operations

4.1.0

Choose a tag to compare

@snowflake-connectors-app snowflake-connectors-app released this 19 Nov 13:13
e83e0a7
  • v4.1.0(November 18,2025)
    • Added the SNOWFLAKE_AUTH_FORCE_SERVER environment variable to force the use of the local-listening server when using the externalbrowser auth method.
      • This allows headless environments (like Docker or Airflow) running locally to auth via a browser URL.
    • Fix compilation error when building from sources with libc++.
    • Pin lower versions of dependencies to oldest version without vulnerabilities.
    • Added no_proxy parameter for proxy configuration without using environmental variables.
    • Added OAUTH_AUTHORIZATION_CODE and OAUTH_CLIENT_CREDENTIALS to list of authenticators that don't require user to be set
    • Added oauth_socket_uri connection parameter allowing to separate server and redirect URIs for local OAuth server.
    • Made platform_detection logs silent and improved its timeout handling. Added support for ENV_VAR_DISABLE_PLATFORM_DETECTION environment variable.
    • Fixed FIPS environments md5 hash issues with multipart upload on Azure.