Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Login & OIDC
  5. snowflake-login

snowflake-login

    The snowflake-login provider enables authentication to Snowflake using OpenID Connect (OIDC) for Pulumi ESC. This allows you to securely access Snowflake without storing long-lived credentials in your environment configurations.

    Configuring OIDC for Snowflake

    To use OIDC authentication with Snowflake, you need to set up a security integration in Snowflake that trusts the Pulumi OIDC provider.

    Step 1: Create a Security Integration in Snowflake

    Execute the following SQL in your Snowflake account to create a security integration: Refer to the Snowflake’s Configure custom authorization servers for External OAuth documentation for more information.

    CREATE SECURITY INTEGRATION pulumi_oidc
      TYPE = EXTERNAL_OAUTH
      ENABLED = TRUE
      EXTERNAL_OAUTH_TYPE = CUSTOM
      EXTERNAL_OAUTH_ISSUER = 'https://api.pulumi.com/oidc'
      EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://api.pulumi.com/oidc/.well-known/jwks'
      EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'snowflake_user'
      EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name'
      EXTERNAL_OAUTH_AUDIENCE_LIST = ('snowflake:<pulumi-org>')
      -- Optionally, restrict to specific roles:
      -- EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = ('<snowflake roles that can be assumed>')
      -- EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE'
    ;
    

    Replace <pulumi-org> with your Pulumi organization name.

    Step 2: Create a User in Snowflake for ESC Login

    Create a Snowflake user that will be used by ESC:

    CREATE USER ESC_LOGIN_USER
      DEFAULT_ROLE = '<role>'
      TYPE = SERVICE;
    
    -- Grant necessary permissions to the user
    GRANT ROLE <role> TO USER ESC_LOGIN_USER;
    

    Replace <role> with the role that has the necessary permissions for your use case.

    Using with Pulumi ESC

    Once you’ve configured OIDC in Snowflake, you can use the snowflake-login provider in your Pulumi ESC environment. The outputs are consumed by the Pulumi Snowflake provider, the Snowflake SDKs, and the snowsql CLI:

    values:
      snowflake:
        login:
          fn::open::snowflake-login:
            oidc:
              account: myorganization-account
              user: ESC_LOGIN_USER
              role: ESC_ROLE  # Optional
      environmentVariables:
        # Consumed by the Pulumi Snowflake provider, the Snowflake SDKs, and the snowsql CLI
        SNOWFLAKE_ACCOUNT: ${snowflake.login.account}
        SNOWFLAKE_USER: ${snowflake.login.user}
        SNOWFLAKE_AUTHENTICATOR: OAUTH
        SNOWFLAKE_TOKEN: ${snowflake.login.token}
    

    Validation

    When opening the environment, you should see output similar to the following:

    {
      "snowflake": {
        "login": {
          "account": "myorganization-account",
          "user": "ESC_LOGIN_USER",
          "token": "[secret]"
        }
      }
    }
    

    You can validate your configuration is working by connecting to snowflake with using the minted oidc token:

    > snowsql \
      --accountname <snowflake.login.account> \
      --username <snowflake.login.user> \
      --authenticator=oauth \
      --token=<snowflake.login.token>
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • oidc object required
    • account string required
      Snowflake account identifier.
    • role string optional
      Role to assume. See https://docs.snowflake.com/en/user-guide/oauth-ext-overview#scopes
    • user string required
      User login name.

    Outputs

    • account string required
      Snowflake account identifier.
    • token string required
      Oauth token.
    • user string required
      User login name.