Skip to main content
All CollectionsDataSnowflake in Astrato
Using Snowflake MFA with Astrato
Using Snowflake MFA with Astrato

Astrato supports Snowflake accounts utilizing MFA for enhanced secuirty and governance.

Piers Batchelor avatar
Written by Piers Batchelor
Updated over a week ago

User Account & Service Account Requirements

To ensure that your Snowflake accounts connected to Astrato continue to function smoothly, follow these steps advised by Snowflake:

Step 1: Identify Users

Start by distinguishing your "human" users from "service" users.

Step 2: Update Authentication Methods

  • If you already support key-pair and/or external OAuth, update your documentation to remove references to password-based authentication.

Step 3: Managing Service Users

  • For service users, use the following Snowflake command to exclude them from MFA policy enforcement:

    ALTER USER <service-user> SET TYPE = SERVICE;

    This command will prevent service users from using password-only authentication.

Step 4: Temporary Solution for Legacy Service Users

  • If you're still using userid/password authentication, by Snowflake’s advised date of September 30, mark service users as legacy to temporarily exclude them from MFA policy but allow password authentication:

    ALTER USER <service-user> SET TYPE = LEGACY_SERVICE;

    Snowflake advises this as a temporary solution. You will need to plan for stronger authentication beyond the September 30 deadline.

Step 5: Authentication for Human Users

  • If your application requires users to authenticate directly with Snowflake, Snowflake requires that you must integrate one of the following authentication methods through your customer’s Identity Provider (IdP) like Okta or Azure AD:

    • Snowflake OAuth

    • External OAuth

Step 6: Service User Integration for Managed Accounts

For Snowflake accounts managed by your team (Partner accounts, Managed accounts), Snowflake advises setting up key-pair authentication or external OAuth for service users.

Key-Pair Authentication Steps:

  1. Generate an RSA key pair: Create a public and private RSA key pair (2048-bit minimum is recommended). The private key should be kept secure.

  2. Assign the public key to the Snowflake user:

    ALTER USER <service-user> SET RSA_PUBLIC_KEY='<public-key>';

  3. Authenticate using the private key: When connecting to Snowflake via Astrato, the service will authenticate using the private key without requiring a password.

  4. Rotate the keys regularly: Snowflake recommends regularly rotating your key pairs for better security.

Snowflake MFA Caching

Snowflake MFA Caching must be enabled if you are using Snowflake MFA. Astrato opens multiple connection to maintain the fastest, most secure platform experience.

⚠️ If you use MFA without caching enabled, recurring authentication requests occur.

Enable MFA caching here: 

ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = TRUE;

📄 Read Snowflake's MFA Documentation

Related Articles
Connecting to Snowflake
🚀 Getting started with Astrato
Snowflake Supported Features
Passthrough Authentication - Snowflake
Astrato for Snowflake: Managing authentication & security
Did this answer your question?