Preparing for Snowflake Password deprecation
By March 2026, all Snowflake SERVICE connections must authenticate with Key Pair authentication.
SERVICE connections must authenticate with Key Pair authentication. In late 2024, Snowflake introduced a new property named TYPE for the USER object. The value of this property (null, HUMAN, SERVICE, or LEGACY_SERVICE) determines the permitted authentication methods for each user. Authentication requirements associated with the user type will become progressively stricter throughout 2025 and 2026.
To maintain uninterrupted operation of your Snowflake connection, follow the recommended steps outlined here. These steps will help you identify your service user's current configuration and, if necessary, apply either a temporary workaround or a long-term solution.
Understanding your current connection configuration
If your user was configured using the suggested setup script from ~2024 or earlier, the TYPE parameter is likely currently set to null. You can verify this using the following query:
DESCRIBE USER <USERNAME>; -- check TYPE, RSA_PUBLIC_KEY
In Snowflake, the TYPE of null will be treated synonymously as if the TYPE is PERSON, and single factor password authentication will eventually be deprecated.
- If your
TYPEis set tonullorHUMAN, you must apply either the Long term fix (preferred) or Temporary fix in this document. - If your
RSA_PUBLIC_KEYis set andTYPEis set toSERVICE, no further action is required.
HUMANornulluser migration deadline
HUMANornullusers will be unable to login with single factor passwords starting in March 2026. (See Snowflake guidance)
Long term fix: Update Snowflake authentication method to Key Pair, TYPE to SERVICE
TYPE to SERVICESnowflake will eventually enforce all non-human accounts to be TYPE = SERVICE, and our recommended authentication method is Key Pair authentication. The following steps will guide this migration:
Prerequisite: Locate your Public Key generated on your behalf
The key should resemble the following text:
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvBSY419n5K4ASO0y6oa02z37Ygaq3kUZrENgoq2b3H9El9eANzdfs5i9b7OGDn4PGw9162cHmUosUByz5vZF3yjBeKPaGt/YfebmiejvzcFBS0bwpuPNik5jmVoX0tVStpNn0R47H0nabyXBxgRspKGVTmTLOhuRpoqbwYuV/ayYZ35UL05D0j+NwjEJMObWRKKxyCMgDxmClSPUZpJ7iceahTdIWQoUqH14l3isedZthKAVZkA+SxGQmCmTDwaFz5VgHLZ0d4vX3gMCS3lUK7axJDWjsWCJ1WNMXkE7rBpyZdpuH6xuALvKs9yqhX1qYdNgh9P735mISzISXrw2nwIDAQAB';
If you need help locating this key, please contact support.
Step 1: Alter user authentication to use Key Pair
ALTER USER <USERNAME> SET RSA_PUBLIC_KEY='MIIBI...THIS_IS_AN_EXAMPLE_AND_SHOULD_BE_REPLACED_WITH_YOUR_KEY...n5K4ASO0y6oa02z37Ygaq3kUZrENgoq2b3H9El9eANzdfs5i9b7OGDn4PGw9162cHmUosUByz5vZF3yjBeKPaGt/YfebmiejvzcFBS0bwpuPNik5jmVoX0tVStpNn0R47H0nabyXBxgRspKGVTmTLOhuRpoqbwYuV/ayYZ35UL05D0j+NwjEJMObWRKKxyCMgDxmClSPUZpJ7iceahTdIWQoUqH14l3isedZthKAVZkA+SxGQmCmTDwaFz5VgHLZ0d4vX3gMCS3lUK7axJDWjsWCJ1WNMXkE7rBpyZdpuH6xuALvKs9yqhX1qYdSXrw2nwIDAQAB';
At this point, we recommend testing your connection to ensure the Key Pair was configured correctly.
Step 2: Alter User TYPE to SERVICE
TYPE to SERVICEOnce the connection test has succeeded and the authentication method has been updated, you may alter the user TYPE to SERVICE. You may also wish to unset the preexisting password.
ALTER USER <USERNAME> SET TYPE = SERVICE;
DESCRIBE USER <USERNAME>; -- to verify
ALTER USER <USERNAME> UNSET PASSWORD; -- optional
Temporary fix: Alter User TYPE to LEGACY_SERVICE
TYPE to LEGACY_SERVICEIn the near term, Snowflake has provided a temporary resolution to allow for uninterrupted operation of existing Snowflake service accounts for slightly longer than the long term fix.
You can temporarily extend your migration timeline by altering your user to indicate that it is a legacy service user using the following query:
LTER USER <USERNAME> SET TYPE = LEGACY_SERVICE;
DESCRIBE USER <USERNAME>; -- to verify
LEGACY_SERVICEuser type migration timeline
LEGACY_SERVICEusers will be deprecated starting in June 2026. (See Snowflake guidance)
Updated 6 days ago