Modern Authentication in Snowflake: Programmatic Access Tokens with Role and Network Controls

Snowflake now supports Programmatic Access Tokens (PATs), offering a flexible and secure way to authenticate users and services programmatically — without needing to store usernames or passwords.

This section demonstrates how to:

• Create a relaxed authentication policy (no network policy enforcement)
• Set PAT-specific expiry rules
• Issue PATs for both individual and service accounts
• Restrict PATs to specific roles

Step 1: Create a Relaxed Authentication Policy

By default, Snowflake enforces network policies (e.g., IP allowlists) during authentication. However, some automated or external systems (like CI/CD tools or integration platforms) may need to bypass these restrictions. To accommodate such use cases, you can create a relaxed authentication policy:

-- Disable network policy evaluation for this auth policy
CREATE AUTHENTICATION POLICY relaxed_auth_policy
  PAT_POLICY = (
    NETWORK_POLICY_EVALUATION = NOT_ENFORCED
  );

Tip: Use this only for trusted environments. Skipping network policy checks may expose your org to security risks if misconfigured.

Step 2: Attach PAT Support to the Authentication Policy

Next, enable PROGRAMMATIC_ACCESS_TOKEN as an accepted authentication method:

ALTER AUTHENTICATION POLICY relaxed_auth_policy
  SET AUTHENTICATION_METHODS = ('PROGRAMMATIC_ACCESS_TOKEN');

Step 3: Configure PAT Expiry Rules

You can customize the maximum and default expiration durations for PATs to align with your org’s security posture:

ALTER AUTHENTICATION POLICY relaxed_auth_policy
  SET PAT_POLICY = (
    MAX_EXPIRY_IN_DAYS = 90,
    DEFAULT_EXPIRY_IN_DAYS = 30
  );

Step 4: Issue a PAT for Yourself (Current User)

Now, let’s issue a PAT for your current user using the updated authentication policy:

-- Issue a PAT for your user
ALTER USER
  ADD PROGRAMMATIC ACCESS TOKEN my_token;

A token is returned immediately — ready to use in API clients, Postman, or your app backend:

Authenticate and Use PAT in API Requests

After obtaining an PAT, use it to authenticate Snowflake SQL API calls.

Example curl request:

(base) satish@Satishs-MacBook-Air ~ % export SNOWFLAKE_TOKEN="eyxxxxxxxiIyNDMyNDI0NjYzNDMzMjIyIiwiYWxnIjoiRVMyNTYifQ.eyJwIjoiMTQ0OTgzODEyOjM3MTE1ODU1MjM3IiwiaXNzIjoiU0Y6MTA0OSIsImV4cCI6MTc0ODc3OTA5OH0.ww83r6urSyzYoN0qS8QJW94R5pMeOqAkQ3aS_ERKCxTbkQxeQjyhFFNkU0jPW39Av6Ss0pdId1ld3hKMFkI1Qg"
(base) satish@Satishs-MacBook-Air ~ % curl -X POST https://XXACBQT-RBB56730.snowflakecomputing.com/api/v2/statements \
  -H "Authorization: Bearer $SNOWFLAKE_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "statement": "SELECT CURRENT_ROLE();",
    "timeout": 60
  }'
{
  "resultSetMetaData" : {
    "numRows" : 1,
    "format" : "jsonv2",
    "partitionInfo" : [ {
      "rowCount" : 1,
      "uncompressedSize" : 16
    } ],
    "rowType" : [ {
      "name" : "CURRENT_ROLE()",
      "database" : "",
      "schema" : "",
      "table" : "",
      "scale" : null,
      "nullable" : true,
      "byteLength" : 16777216,
      "length" : 16777216,
      "type" : "text",
      "precision" : null,
      "collation" : null
    } ]
  },
  "data" : [ ["ACCOUNTADMIN"] ],
  "code" : "090001",
  "statementStatusUrl" : "/api/v2/statements/01bc68ec-0105-4c89-0008-a447000731ae?requestId=bf7c8130-267b-4be6-b06a-8e624e2b0d03",
  "requestId" : "bf7c8130-267b-4be6-b06a-8e624e2b0d03",
  "sqlState" : "00000",
  "statementHandle" : "01bc68ec-0105-4c89-0008-a447000731ae",
  "message" : "Statement executed successfully.",
  "createdOn" : 1747490697666
}%                                                                                                                                                                                                        (base) satish@Satishs-MacBook-Air ~ % 

Step 5: Issue a PAT for a Service User with Role Restriction

In many enterprise scenarios, you want to tightly control which roles a service user’s PAT can access. This minimizes security risks and ensures role-based isolation.

First, grant the necessary role to the user:

GRANT ROLE servicenow_metadata_role TO USER my_service_user;

Then, issue a PAT that is explicitly restricted to that role:

ALTER USER IF EXISTS my_service_user
  ADD PROGRAMMATIC ACCESS TOKEN my_service_token
  ROLE_RESTRICTION = 'SERVICENOW_METADATA_ROLE'
  DAYS_TO_EXPIRY = 10
  COMMENT = 'Expires in 10 days';

The token will inherit only the privileges of the specified role and will expire in 10 days.

Step 6:Issuing PATs for Service Users with Network Restrictions

Key Security Controls

✅ IP-based access restrictions
✅ Service account isolation
✅ Short-lived tokens
✅ Role-based privilege limitation

1. Create Authentication Policy with PAT Controls

CREATE AUTHENTICATION POLICY service_auth_policy
  PAT_POLICY = (
    NETWORK_POLICY_EVALUATION = ENFORCED_REQUIRED
  );

2. Create Dedicated Service User

CREATE USER servicenow_loader
  DEFAULT_WAREHOUSE = 'servicenow_wh';

GRANT ROLE servicenow_readonly TO USER servicenow_loader;

3. Issue Restricted PAT

ALTER USER servicenow_loader
  ADD PROGRAMMATIC ACCESS TOKEN prod_token
  ROLE_RESTRICTION = 'servicenow_readonly'
  DAYS_TO_EXPIRY = 1  -- Daily rotation recommended
  COMMENT = 'ServiceNow production loader - IP restricted';

✅ Summary

With just a few SQL statements, you’ve:

• Created a flexible authentication policy
• Enabled long-lived, role-restricted tokens
• Avoided dependency on password-based authentication
• Made your integrations safer and easier to manage

Best Practice: Always use ROLE_RESTRICTION for service tokens and rotate them periodically. For external apps, consider using OAuth 2.0 if user consent or broader scopes are needed.

Conclusion
Snowflake’s Programmatic Access Tokens (PATs) offer a powerful alternative to traditional password-based authentication, enabling secure, role-restricted, and IP-aware integrations across your platform. By combining relaxed or enforced network policies with PAT expiry rules and role restrictions, you gain granular control over service and user access — while maintaining enterprise-grade security.

Embrace PATs to modernize your authentication strategy, reduce secret sprawl, and future-proof your integration pipelines.

If you found this guide helpful,
Clap, Comment, and Share to support it!
Follow @SnowflakeChronicles for more hands-on Snowflake tips, real-world use cases, and security best practices.

Thanks for reading — your support means a lot!

#Snowflake #Authentication #ProgrammaticAccess #Security #DataEngineering #CloudSecurity #APIAccess #SnowflakeTips #SnowflakeSecurity #ZeroTrust #DevOps #DataPlatform #ModernAuth