Backward incompatibility

Deprecations

New additions

Fixes and improvements

• Encrypted private key files no longer require PRIVATE_KEY_PASSPHRASE to be set in the environment. The passphrase can now be read from private_key_file_pwd (the name used by snowflake-connector-python) or private_key_passphrase in connections.toml / config.toml. The PRIVATE_KEY_PASSPHRASE environment variable continues to take precedence when set. This also fixes a regression in 3.17.0 where commands using key-pair authentication with private_key_passphrase in connections.toml failed with argument 'password': Cannot convert "<class 'str'>" instance to a buffer.

Deprecations

New additions

• snow app now supports both Snowflake Native Apps (application / application package entities) and Snowflake Apps Deploy (snowflake-app entities). The entity type in snowflake.yml determines which flow is used, so shared subcommands like bundle, deploy, validate, open, events, and teardown automatically pick the correct behavior. The experimental hidden snow __app command group and the ENABLE_SNOWFLAKE_APPS feature flag have been removed.
• Added snow app setup command for initializing a snowflake.yml for a Snowflake Apps Deploy project.
• Added snow connection generate-workload-identity-token command to generate a workload identity token for the current environment. Supports AWS, GCP, Azure, and OIDC providers via --workload-identity-provider flag or connection configuration.
• Added snow custom-image validate command to validate custom Docker images against configured rules (entrypoint, environment variables, Python packages, dependency health). Supports an optional --scan-vulnerabilities flag to run Grype vulnerability scanning.
• Added snow dcm purge command to drop all the objects managed by the specified DCM Project
• DCM manifest targets now validate account_identifier and project_owner fields.
  CLI validates these against the current session and prints a warning on mismatch:
  • account_identifier is checked for all manifest-based commands
  • project_owner is checked for snow dcm create
• Added a --secondary-roles option (plus matching SNOWFLAKE_SECONDARY_ROLES env var and secondary_roles config key) to snow connection add and the global connection overrides. The value is forwarded to snowflake-connector-python and accepts ALL or NONE, so sessions can be pinned to the primary role without running an extra USE SECONDARY ROLES statement.
• Added --force flag to snow spcs service drop to allow dropping services that contain block storage volumes.

Fixes and improvements

• Significantly improved DCM files upload performance
• Fixed snow streamlit deploy failing with a collision error when pages/*.py glob in additional_source_files overlaps with the automatically-included pages/ directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion.
• Updated snowflake-connector-python to version 4.4.0. Connector python 4.x series introduced stricter permission checks. In future versions of Snowflake CLI strict configuration file permissions will become mandatory. To test if your files have correct permissions set SNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1 before running CLI commands.
• Fixed error message when PRIVATE_KEY_PASSPHRASE environment variable is set to an empty string.
• Fixed SELECT * output being corrupted when joined tables share column names. Duplicate column names are now disambiguated by appending a numeric suffix (e.g. NAME, NAME_2).
• Fixed snow connection generate-jwt and snow connection generate-workload-identity-token failing with Connection None is not configured when used with --temporary-connection.
• The internal connection cache now remembers failed connect attempts and re-raises the original exception on subsequent accesses within the same process, instead of re-dialing Snowflake every time a command accesses the shared connection. This fixes, among other cases, the customer-visible duplicate LOGIN_HISTORY events (and OVERFLOW_FAILURE_EVENTS_ELIDED) previously emitted when a snow invocation was rejected by an authentication policy.
• Fixed session/master token connections created from environment variables or named connection config not enabling token keep-alive settings. This could cause follow-up commands to fail with 251007: Session and master tokens invalid.

Deprecations

New additions

• snow app now supports both Snowflake Native Apps (application / application package entities) and Snowflake Apps Deploy (snowflake-app entities). The entity type in snowflake.yml determines which flow is used, so shared subcommands like bundle, deploy, validate, open, events, and teardown automatically pick the correct behavior. The experimental hidden snow __app command group and the ENABLE_SNOWFLAKE_APPS feature flag have been removed.
• Added snow app setup command for initializing a snowflake.yml for a Snowflake Apps Deploy project.
• Added snow connection generate-workload-identity-token command to generate a workload identity token for the current environment. Supports AWS, GCP, Azure, and OIDC providers via --workload-identity-provider flag or connection configuration.
• Added snow custom-image validate command to validate custom Docker images against configured rules (entrypoint, environment variables, Python packages, dependency health). Supports an optional --scan-vulnerabilities flag to run Grype vulnerability scanning.
• Added snow dcm purge command to drop all the objects managed by the specified DCM Project
• DCM manifest targets now validate account_identifier and project_owner fields.
  CLI validates these against the current session and prints a warning on mismatch:
  • account_identifier is checked for all manifest-based commands
  • project_owner is checked for snow dcm create
• Added a --secondary-roles option (plus matching SNOWFLAKE_SECONDARY_ROLES env var and secondary_roles config key) to snow connection add and the global connection overrides. The value is forwarded to snowflake-connector-python and accepts ALL or NONE, so sessions can be pinned to the primary role without running an extra USE SECONDARY ROLES statement.
• Added --force flag to snow spcs service drop to allow dropping services that contain block storage volumes.

Fixes and improvements

• Significantly improved DCM files upload performance
• Fixed snow streamlit deploy failing with a collision error when pages/*.py glob in additional_source_files overlaps with the automatically-included pages/ directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion.
• Updated snowflake-connector-python to version 4.4.0. Connector python 4.x series introduced stricter permission checks. In future versions of Snowflake CLI strict configuration file permissions will become mandatory. To test if your files have correct permissions set SNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1 before running CLI commands.
• Fixed error message when PRIVATE_KEY_PASSPHRASE environment variable is set to an empty string.
• Fixed SELECT * output being corrupted when joined tables share column names. Duplicate column names are now disambiguated by appending a numeric suffix (e.g. NAME, NAME_2).
• Fixed snow connection generate-jwt and snow connection generate-workload-identity-token failing with Connection None is not configured when used with --temporary-connection.
• The internal connection cache now remembers failed connect attempts and re-raises the original exception on subsequent accesses within the same process, instead of re-dialing Snowflake every time a command accesses the shared connection. This fixes, among other cases, the customer-visible duplicate LOGIN_HISTORY events (and OVERFLOW_FAILURE_EVENTS_ELIDED) previously emitted when a snow invocation was rejected by an authentication policy.
• Fixed session/master token connections created from environment variables or named connection config not enabling token keep-alive settings. This could cause follow-up commands to fail with 251007: Session and master tokens invalid.

Deprecations

New additions

• DCM commands are now available in preview
• Added --in-account flag to list commands (e.g., snow object list, snow stage list). This flag allows listing all objects of a given type in the account. Cannot be used together with the --in flag.
• Added experimental command snow spcs service build-image to build container images using SPCS service. The command uploads local build context to a stage, executes a build job, and streams logs in real-time until completion. This command is experimental and subject to change.
• Added --async flag to snow spcs service execute-job command to execute job services asynchronously without waiting for completion.
• Added --replicas parameter to snow spcs service execute-job command to specify the number of job replicas to run.
• Added --dbt-version flag to snow dbt deploy and snow dbt execute commands. This flag allows to set dbt Core version on dbt project object (deploy command) or execute a dbt command on a specific dbt Core version, without altering the dbt object (execute commands).

Fixes and improvements

• Fixed snow stage copy --recursive dropping database and schema qualifiers from fully-qualified stage names, causing the command to resolve stages against the connection's default database instead of the one specified in the FQN.
• all authenticators (including snowflake-jwt, username_password_mfa, workload_identity) are now case-insensitive.
• Fixed snow streamlit deploy --prune failing with incorrect stage path format for streamlit entities using versioned deployment. The snow:// prefix is now correctly preserved through all stage path operations.
• Fixed a bug with snow dbt deploy where dbt project would have files uploaded first and project properties updated afterwards. This could lead to failed deploys if for example project lacked external access integrations and dependencies were specified.
• Changed how the fully qualified name for temporary stages is established for snow dbt deploy. The database and schema from the DBT Project object's fully qualified name take precedence over those from the session.
• Fixed snow stage copy and snow stage put failing when a local directory path contains glob special characters (e.g. square brackets in [id] or [slug]). The path is now escaped before glob expansion so literal directory names are matched correctly.

Deprecations

New additions

• DCM commands are now available in preview
• Added --in-account flag to list commands (e.g., snow object list, snow stage list). This flag allows listing all objects of a given type in the account. Cannot be used together with the --in flag.
• Added experimental command snow spcs service build-image to build container images using SPCS service. The command uploads local build context to a stage, executes a build job, and streams logs in real-time until completion. This command is experimental and subject to change.
• Added --async flag to snow spcs service execute-job command to execute job services asynchronously without waiting for completion.
• Added --replicas parameter to snow spcs service execute-job command to specify the number of job replicas to run.
• Added --dbt-version flag to snow dbt deploy and snow dbt execute commands. This flag allows to set dbt Core version on dbt project object (deploy command) or execute a dbt command on a specific dbt Core version, without altering the dbt object (execute commands).

Fixes and improvements

• Fixed snow stage copy --recursive dropping database and schema qualifiers from fully-qualified stage names, causing the command to resolve stages against the connection's default database instead of the one specified in the FQN.
• all authenticators (including snowflake-jwt, username_password_mfa, workload_identity) are now case-insensitive.
• Fixed snow streamlit deploy --prune failing with incorrect stage path format for streamlit entities using versioned deployment. The snow:// prefix is now correctly preserved through all stage path operations.
• Fixed a bug with snow dbt deploy where dbt project would have files uploaded first and project properties updated afterwards. This could lead to failed deploys if for example project lacked external access integrations and dependencies were specified.
• Changed how the fully qualified name for temporary stages is established for snow dbt deploy. The database and schema from the DBT Project object's fully qualified name take precedence over those from the session.
• Fixed snow stage copy and snow stage put failing when a local directory path contains glob special characters (e.g. square brackets in [id] or [slug]). The path is now escaped before glob expansion so literal directory names are matched correctly.

Deprecations

New additions

• Added --in-account flag to list commands (e.g., snow object list, snow stage list). This flag allows listing all objects of a given type in the account. Cannot be used together with the --in flag.
• Added experimental command snow spcs service build-image to build container images using SPCS service. The command uploads local build context to a stage, executes a build job, and streams logs in real-time until completion. This command is experimental and subject to change.
• Added --async flag to snow spcs service execute-job command to execute job services asynchronously without waiting for completion.
• Added --replicas parameter to snow spcs service execute-job command to specify the number of job replicas to run.
• Added --dbt-version flag to snow dbt deploy and snow dbt execute commands. This flag allows to set dbt Core version on dbt project object (deploy command) or execute a dbt command on a specific dbt Core version, without altering the dbt object (execute commands).

Fixes and improvements

• Fixed snow stage copy --recursive dropping database and schema qualifiers from fully-qualified stage names, causing the command to resolve stages against the connection's default database instead of the one specified in the FQN.
• Updated snowflake-connector-python to version 4.3.0.
• all authenticators (including snowflake-jwt, username_password_mfa, workload_identity) are now case-insensitive.
• Fixed snow streamlit deploy --prune failing with incorrect stage path format for streamlit entities using versioned deployment. The snow:// prefix is now correctly preserved through all stage path operations.
• Fixed a bug with snow dbt deploy where dbt project would have files uploaded first and project properties updated afterwards. This could lead to failed deploys if for example project lacked external access integrations and dependencies were specified.
• Changed how the fully qualified name for temporary stages is established for snow dbt deploy. The database and schema from the DBT Project object's fully qualified name take precedence over those from the session.

New additions

• Added --if-exists option to snow object drop command and object-specific drop commands (e.g., snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects.

Fixes and improvements

• Fix git repository path parsing to allow quotes around both repo and branch names (e.g., @"example-repo"/branches/"feature/branch"/*).
• Fix externalbrowser auth for headless systems.
• Update project definition with supported python versions aligned with snowflake-connector-python

New additions

• Added --if-exists option to snow object drop command and object-specific drop commands (e.g., snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects.

Fixes and improvements

• Fix git repository path parsing to allow quotes around both repo and branch names (e.g., @"example-repo"/branches/"feature/branch"/*).
• Fix externalbrowser auth for headless systems.
• Update project definition with supported python versions aligned with snowflake-connector-python

New additions

• Added --if-exists option to snow object drop command and object-specific drop commands (e.g., snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects.

Fixes and improvements

• Fix git repository path parsing to allow quotes around both repo and branch names (e.g., @"example-repo"/branches/"feature/branch"/*).
• Fix externalbrowser auth for headless systems.
• Update project definition with supported python versions aligned with snowflake-connector-python

Deprecations

• snow streamlit deploy --experimental flag is deprecated. Versioned deployment is now the default behavior.

New additions

• snow streamlit deploy now uses versioned stages by default (modern FROM syntax with automatic version management)
• Added snow streamlit deploy --legacy flag to use the legacy ROOT_LOCATION deployment for backward compatibility

Fixes and improvements