Skip to main content

By March 2026, all Snowflake SERVICE connections must authenticate with Key Pair authentication.

In late 2024, Snowflake introduced a new property named TYPE for the USER object. The value of this property (null, HUMAN, SERVICE, or LEGACY_SERVICE) determines the permitted authentication methods for each user. Authentication requirements associated with the user type will become progressively stricter throughout 2025 and 2026. To maintain uninterrupted operation of your Snowflake connection, follow the recommended steps outlined here. These steps will help you identify your service user’s current configuration and, if necessary, apply either a temporary workaround or a long-term solution.

Understanding your current connection configuration

If your user was configured using the suggested setup script from ~2024 or earlier, the TYPE parameter is likely currently set to null. You can verify this using the following query:
Snowflake
DESCRIBE USER <USERNAME>; -- check TYPE, RSA_PUBLIC_KEY
In Snowflake, the TYPE of null will be treated synonymously as if the TYPE is PERSON, and single factor password authentication will eventually be deprecated.
  • If your TYPE is set to null or HUMAN, you must apply either the Long term fix (preferred) or Temporary fix in this document.
  • If your RSA_PUBLIC_KEY is set and TYPE is set to SERVICE, no further action is required.
❗️ HUMAN or null user migration deadline HUMAN or null users will be unable to login with single factor passwords starting in March 2026. (See Snowflake guidance)

Long term fix: Update Snowflake authentication method to Key Pair, TYPE to SERVICE

Snowflake will eventually enforce all non-human accounts to be TYPE = SERVICE, and our recommended authentication method is Key Pair authentication. The following steps will guide this migration:

Prerequisite: Locate your Public Key generated on your behalf

The key should resemble the following text: 
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvBSY419n5K4ASO0y6oa02z37Ygaq3kUZrENgoq2b3H9El9eANzdfs5i9b7OGDn4PGw9162cHmUosUByz5vZF3yjBeKPaGt/YfebmiejvzcFBS0bwpuPNik5jmVoX0tVStpNn0R47H0nabyXBxgRspKGVTmTLOhuRpoqbwYuV/ayYZ35UL05D0j+NwjEJMObWRKKxyCMgDxmClSPUZpJ7iceahTdIWQoUqH14l3isedZthKAVZkA+SxGQmCmTDwaFz5VgHLZ0d4vX3gMCS3lUK7axJDWjsWCJ1WNMXkE7rBpyZdpuH6xuALvKs9yqhX1qYdNgh9P735mISzISXrw2nwIDAQAB';
If you need help locating this key, please contact support.

Step 1: Alter user authentication to use Key Pair

Snowflake
ALTER USER <USERNAME> SET RSA_PUBLIC_KEY='MIIBI...THIS_IS_AN_EXAMPLE_AND_SHOULD_BE_REPLACED_WITH_YOUR_KEY...n5K4ASO0y6oa02z37Ygaq3kUZrENgoq2b3H9El9eANzdfs5i9b7OGDn4PGw9162cHmUosUByz5vZF3yjBeKPaGt/YfebmiejvzcFBS0bwpuPNik5jmVoX0tVStpNn0R47H0nabyXBxgRspKGVTmTLOhuRpoqbwYuV/ayYZ35UL05D0j+NwjEJMObWRKKxyCMgDxmClSPUZpJ7iceahTdIWQoUqH14l3isedZthKAVZkA+SxGQmCmTDwaFz5VgHLZ0d4vX3gMCS3lUK7axJDWjsWCJ1WNMXkE7rBpyZdpuH6xuALvKs9yqhX1qYdSXrw2nwIDAQAB';
At this point, we recommend testing your connection to ensure the Key Pair was configured correctly.

Step 2: Alter User TYPE to SERVICE

Once the connection test has succeeded and the authentication method has been updated, you may alter the user TYPE to SERVICE. You may also wish to unset the preexisting password.
Snowflake
ALTER USER <USERNAME> SET TYPE = SERVICE;
DESCRIBE USER <USERNAME>; -- to verify
ALTER USER <USERNAME> UNSET PASSWORD; -- optional

Temporary fix: Alter User TYPE to LEGACY_SERVICE

In the near term, Snowflake has provided a temporary resolution to allow for uninterrupted operation of existing Snowflake service accounts for slightly longer than the long term fix. You can temporarily extend your migration timeline by altering your user to indicate that it is a legacy service user using the following query:
Snowflake
LTER USER <USERNAME> SET TYPE = LEGACY_SERVICE;
DESCRIBE USER <USERNAME>; -- to verify
❗️ LEGACY_SERVICE user type migration timeline LEGACY_SERVICE users will be deprecated starting in June 2026. (See Snowflake guidance)