SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Snowflake storage destination authentication

Overview

Setting up a Snowflake storage warehouse destination requires establishing a secure authentication method using either a cryptographic Key Pair or basic Password credentials to prevent synchronization errors. This article covers the available authentication options, step-by-step setup requirements, common credential configuration states, and critical user interface behaviors such as why the private key field displays a "No file uploaded" status for active, working connections.

 

Environment

Segment Console

 

What You Need To Know

When deploying or auditing your Snowflake connection within the Segment platform, keep the following functionalities, technical specifications, and architectural constraints in mind:

  • Supported Authentication Protocols: Segment offers two configuration paths for connecting to Snowflake. Key Pair Authentication utilizes an asymmetric cryptographic public/private key mechanism and is highly recommended for security compliance. Password Authentication uses basic username-and-password credentials.

  • Password Deprecation Timeline: Basic password authentication is designated as "Not recommended" within the platform interface. Snowflake is planning to phase out password-only programmatic authentication pipelines starting in August 2026. All organizations are strongly encouraged to migrate connections to Key Pair authentication to guarantee uninterrupted service.

  • Tier Eligibility: Key Pair authentication is natively supported across all service tiers, including Free, Team, and Business Tier accounts.

  • Private Key Technical Standards: Private key files uploaded to Segment must utilize the PKCS#8 (.p8) structure with an encryption length of at least 2048-bit. Encrypted private keys are fully supported provided the corresponding passphrase string is supplied during setup.

  • Key Rotation Handshaking: Snowflake supports up to two active concurrent public keys per user account to enable zero-downtime key rotation. When performing a rotation, update your private key in the Segment Console only after confirming that the matching public key has been fully applied and activated inside your Snowflake console.

  • Write-Only Security Constraints: Once a private key file is uploaded and saved, Segment securely encrypts it on the backend. Web browsers are restricted from reading back these encrypted credentials to pre-populate file input boxes. Because of this security design, the file configuration module will always reset to a default "No file uploaded" status every time you view the destination settings page, even when the connection is fully functional.

  • Interpretation of Selected UI Options: The highlighted button on an existing connection's settings page reflects the true, active configuration currently deployed on the backend database connector. It does not represent an unsaved template or a suggestion to edit.

  • Required Resource Deployment Infrastructure: Establishing a functional pipeline requires provisioning specific infrastructure inside Snowflake before finalizing the connection in Segment. This includes running precise initialization blocks to create a virtual warehouse, a target database, an explicit tracking execution role (SEGMENT), and a dedicated platform service user account linked to your generated public key.

 

Frequently Asked Questions

Why does the Private Key field display "No file uploaded" even though my data syncs are executing successfully?

This is normal platform security behavior. After you upload a .p8 private key file and save your destination settings, Segment immediately encrypts the asset on our secure servers and treats it as a write-only secret. Web browsers are structurally blocked from reading backend secrets to populate local file upload fields. The interface will reset to an empty state showing "No file uploaded" every time the page loads to prevent exposing your credential configuration.

 

How do I verify that my Snowflake credentials are valid and active without making modifications?

You can confirm that your authentication settings are working correctly by visiting the Sync History or Event Delivery tabs for your specific Snowflake destination in the Segment Console. If your scheduled data transfers are executing successfully without throwing database authorization or invalid credential alerts, your stored key pair or password configuration is working fine behind the scenes.

 

What should I do if I receive a connection failure stating "The requested database does not exist or not authorized"?

This error means Segment successfully reached your Snowflake instance, but the service user profile lacks the necessary execution rights to view or alter the specific target storage. You can resolve this permission breakdown by opening a high-level SYSADMIN or ACCOUNTADMIN session in Snowflake and running the following validation statements:

SQL

 
GRANT MODIFY PROGRAMMATIC AUTHENTICATION METHODS ON USER segment_user TO ROLE segment;
ALTER USER segment_user SET rsa_public_key='<your_public_key_string>';
GRANT ROLE "SEGMENT" TO USER "SEGMENT_USER";

 

Can I change table and schema ownership away from the default Segment role without breaking active connections?

Yes, but you must replace the implicit ownership right with explicit read and write privileges. If ownership of your schemas or tables is transferred to another administrative account like ACCOUNTADMIN without providing matching permissions back to Segment, the data loader will become unable to identify existing tables. It will attempt to recreate them from scratch and fail with an object collision error. To securely transfer resource ownership while keeping syncs active, execute this script for each targeted schema:

SQL

 
GRANT OWNERSHIP ON SCHEMA $SCHEMA_NAME TO ROLE ACCOUNTADMIN REVOKE CURRENT GRANTS;
GRANT OWNERSHIP ON ALL TABLES IN SCHEMA $SCHEMA_NAME TO ROLE ACCOUNTADMIN REVOKE CURRENT GRANTS;
GRANT USAGE, CREATE TABLE ON SCHEMA $SCHEMA_NAME TO ROLE SEGMENT;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA $SCHEMA_NAME TO ROLE SEGMENT;

 

Conclusion

Configuring secure Key Pair authentication protects your Snowflake integration path, meets compliance requirements, and ensures compatibility ahead of the password authentication deprecation window. Understanding backend write-only security and explicit permission handshakes prevents common connection errors and helps you accurately audit your pipeline status

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk