Migrating Snowflake Authentication

  • Updated on Aug 22, 2025
  • Published on Aug 22, 2025
  • 4 minute(s) read
Prev Next

Overview

Starting in November 2025, Snowflake will block sign-ins that use single-factor authentication with passwords. Prior to this date, data sources in Validatar using the Snowflake ODBC connection type will need to be migrated to use key-pair authentication instead of passwords.

Additional Info

The following external link provides more information on this authentication change from Snowflake:
https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification

Prerequisites

  • Access to Validatar with permission to edit data sources.
  • Someone with the SECURITYADMIN role in Snowflake to run the public-key registration script. If you do not have that role, you will need to send the script to your Snowflake admin.
Data Agent Upgrade Requirement

Before you migrate any data sources that use a data agent, verify that you've upgraded your data agent to at least version 2025.2. You can trigger an upgrade of your data agent from Validatar on the Settings > Configuration > Data Agents page by clicking the data agent link, then clicking the Upgrade button from the Data Agent page.

Migration Steps

  1. Open the Data Sources list
    • In Validatar, go to Settings > Data Sources.
  2. Filter to see Snowflake ODBC connections that need migration
    • Click the Type column filter and choose 'Snowflake ODBC', then click 'Filter'.
    • Data sources that require migration will show a warning icon in the Name column.
  3. Open the data source to modify
    • Open the data source that shows the warning icon.
    • In the Connection section, click 'Edit' to open the Modify Connection dialog.
  4. Switch authentication method
    • The dialog will initially show 'Custom Connection String' selected.
    • Select the 'Key Pair Authentication' option.
    • Validatar will automatically populate relevant connection details from the previous connection string.
    • Review the pre-filled values and complete any missing fields.
  5. Retrieve and run the public key registration script
    • Click 'View Public Key/Script' in the dialog to display the Snowflake script that assigns the public key to the Snowflake user.
    • This script is intended to be run in your Snowflake account using the SECURITYADMIN role. If you are not a Snowflake security admin, copy the script and send it to someone that has that level of access.
    • Once the script is executed in Snowflake, the Snowflake user will have the public key registered and is ready for key-pair authentication.
  6. Test the connection
    • After the script has been run in Snowflake, click 'Test Connection' in the Modify Connection dialog in Validatar.
    • Confirm that the connection validates successfully.
  7. Update and save
    • If the connection succeeds, click 'Update Connection', then click 'Save' on the main page.
    • The data source now authenticates with Snowflake using key pair authentication instead of a password.

Migrating multiple data sources with the same Snowflake account and user

If you have multiple data sources that use the same Snowflake account and username, the migration process for the remaining data sources is simpler than for the initial data source.

  • After you migrate the first data source and the public key has been attached to the Snowflake user, you do not need to run the script again for subsequent data sources that match on Account Name and Username.
  • When you open a secondary data source, choose the 'Key Pair Authentication' option and Validatar will reuse the same private key for connections that match on account name and username.
  • For each secondary data source, click 'Test Connection' to verify connectivity, then click 'Update Connection' and then 'Save'

Best practices and recommendations

  • Backup the original custom connection string (copy it to a secure location) before modification so you can rollback if needed.
  • Coordinate with your Snowflake security/admin team to run the public key registration script.
  • Confirm which Snowflake role and username are required for each connection before saving.
  • Test each migrated data source immediately after updating to ensure scheduled jobs and tests continue to work.

Troubleshooting

  1. 'Test Connection' fails after running the script:
    • Verify the public key registration script was run against the correct Snowflake user and in the correct Snowflake account.
    • Confirm the script was executed by a role with sufficient privileges (SECURITYADMIN).
    • Confirm the account name and username in Validatar exactly match Snowflake.
  2. If the data source stops working:
    • Revert to your saved backup of the original connection string (if still allowed by your Snowflake policy).

FAQ

  • Who runs the public key registration script?
    • A Snowflake SECURITYADMIN (or equivalent) must run the script in Snowflake.
  • Do I need to run the script for every data source?
    • No, if multiple data sources share the same Snowflake account and username, Validatar reuses the same private key and you do not need to re-run the script for secondary data sources that match on account and username.
  • Will scheduled jobs or tests break?
    • They should continue to work after migration, as long as the data source is saved and tested successfully.
  • How is the private key managed?
    • Validatar encrypts the private key that corresponds to the public key and stores it in your Validatar repository.
  • How can I rotate keys?
    • To rotate the key-pair for a given user, click 'Regenerate Public/Private Keys' in the Modify Connection dialog.
    • Click 'View Public Key/Script' to retrieve the script to run in Snowflake.
    • Once the script is run in Snowflake, click 'Test Connection' to verify that the connection succeeds.
    • Once the connection succeeds, click 'Update Connection', then click 'Save'.
    • When the data source is saved, all other data sources using the same account and username will automatically be updated with the same private key.