CI/CD pipelines let you automate Snowflake deployments so that changes are triggered by pull requests, merges, or scheduled runs rather than manual steps. Snowflake publishes first-party integrations for the most popular CI/CD platforms, each of which installs the Snowflake CLI on the runner and configures authentication to your Snowflake account.

In this Quickstart, we'll walk through configuring three of those integrations:

All three integrations support workload identity federation (WIF) with OpenID Connect (OIDC), which means your pipelines can authenticate to Snowflake with short-lived tokens instead of long-lived secrets. We'll focus on OIDC as the recommended approach and cover key-pair and password alternatives briefly.

This guide is structured so that you can follow one integration, two, or all three. Each platform section is self-contained.

Before diving into platform-specific configuration, let's look at the concepts that are shared across all Snowflake CI/CD integrations.

Every CI/CD pipeline authenticates to Snowflake as a service user — a non-human user created specifically for automation. You create this user in Snowflake with TYPE = SERVICE and grant it only the roles the pipeline needs.

Snowflake recommends workload identity federation (WIF) with OIDC for CI/CD. Here's how it works:

1. The CI runner requests a short-lived identity token from the platform's OIDC provider (GitHub, GitLab, Azure Entra ID).
2. The Snowflake CLI presents that token to Snowflake.
3. Snowflake validates the token's issuer and subject claims against the service user's WORKLOAD_IDENTITY configuration.
4. If the claims match, Snowflake creates a session. No passwords or private keys are involved.

Each platform has a different OIDC issuer URL and subject claim format. The platform-specific sections below provide the exact values.

Each first-party integration installs the Snowflake CLI (snow) on the CI runner. After the setup step completes, snow is available on PATH for all subsequent steps. You can then run commands like snow connection test, snow dcm deploy, snow sql, or snow app deploy.

Most CI/CD workflows combine a committed config.toml file (containing connection metadata but no credentials) with secrets injected through environment variables. The precedence rules are:

1. Command-line parameters override everything.
2. Environment variables targeting a specific connection parameter (e.g. SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT) override config.toml.
3. Values defined in config.toml are used when no override is provided.
4. Generic environment variables such as SNOWFLAKE_USER apply last.

In this section, we'll configure the Snowflake side of the integration by creating a service user that trusts GitHub's OIDC provider.

Connect to Snowflake with a user that has ACCOUNTADMIN or SECURITYADMIN privileges and run the following:

Here's what the code does:

The subject claim controls which GitHub context is allowed to authenticate. Replace <your_subject_claim> with the value that matches your use case:

For more details, see the GitHub OIDC subject claim documentation.

1. Go to your GitHub repository Settings > Secrets and variables > Actions.
2. Click New repository secret.
3. Add a secret named SNOWFLAKE_ACCOUNT with your Snowflake account identifier as the value.

Now let's create the GitHub Actions workflow that uses the Snowflake CLI GitHub Action to install the CLI and authenticate with OIDC.

Create or update your workflow file (e.g. .github/workflows/deploy.yml):

Here's what the code does:

Push a commit to your main branch to trigger the workflow. In the GitHub Actions logs, you should see:

If OIDC is not available, you can use key-pair authentication. Store your private key as a GitHub secret and pass it through environment variables.

Temporary connection (no config.toml):

Named connection (with config.toml):

Commit a config.toml with an empty connection block:

Then override the connection fields through environment variables:

Password authentication is supported but not recommended for production CI/CD. Store your password as a GitHub secret and pass it through environment variables:

In this section, we'll configure the Snowflake side of the integration by creating a service user that trusts GitLab's OIDC provider.

Connect to Snowflake with a user that has ACCOUNTADMIN or SECURITYADMIN privileges and run the following:

Here's what the code does:

The subject claim controls which GitLab context is allowed to authenticate. Replace <your_subject_claim> with the value that matches your use case. GitLab OIDC tokens use the following subject format:

For more details on customizing the subject, see the GitLab OIDC documentation.

1. In your GitLab project, go to Settings > CI/CD > Variables.
2. Click Add variable and add:

Now let's create the GitLab CI/CD pipeline that uses the Snowflake CI/CD Component to install the CLI and authenticate with OIDC.

Create or update your .gitlab-ci.yml file:

Here's what the code does:

Push a commit to trigger the pipeline. In the GitLab CI/CD job logs, you should see:

If OIDC is not available, you can use key-pair authentication. Store your private key as a CI/CD variable and pass it through environment variables.

First, add the following CI/CD variables in Settings > CI/CD > Variables:

Then configure the pipeline:

The CI/CD variables you set are automatically available as environment variables to all jobs. The Snowflake CLI reads them for authentication when using temporary connections (-x flag).

Use this method when you want to define named connections in a config.toml file and override credentials via CI/CD variables.

Commit a config.toml to your repository (no credentials):

Add the following CI/CD variables:

Then configure the pipeline:

Password authentication is supported but not recommended for production CI/CD. Store your password as a CI/CD variable and pass it through environment variables:

The Azure DevOps integration uses workload identity federation through an Azure Entra ID service connection. The setup has three parts: creating an Azure App Registration, creating an Azure DevOps service connection, and creating a Snowflake service user.

1. In the Azure Portal, go to Microsoft Entra ID > App registrations.
2. Click New registration, enter a name (e.g. snowflake-ado-wif), and register the application.
3. Note the Application (client) ID and Directory (tenant) ID.
4. Go to Certificates & secrets > Federated credentials > Add credential.
5. Select Other issuer and configure:
   • Issuer: https://vstoken.dev.azure.com/<your-Azure-AD-Tenant-ID>
   • Subject identifier: sc://<ADO-Org-Name>/<ADO-Project-Name>/<Service-Connection-Name>
   • Audience: api://AzureADTokenExchange

1. In your Azure DevOps project, go to Project Settings > Service connections.
2. Click New service connection > Azure Resource Manager.
3. Select Workload Identity federation (manual).
4. Fill in:
   • Service connection name: e.g. snowflake-wif-connection (this must match the subject identifier from the previous step)
   • Subscription ID / Name: Your Azure subscription
   • Service Principal ID: The Application (client) ID from the App Registration
   • Tenant ID: Your Azure AD Tenant ID
5. Save the connection.

Connect to Snowflake with a user that has ACCOUNTADMIN or SECURITYADMIN privileges and run:

Here's what the code does:

The following table summarizes the claim values:

Now let's create the Azure Pipeline that uses the Snowflake CLI Azure DevOps Extension to install the CLI and authenticate with OIDC.

Create a config.toml file at the root of your repository. This file contains connection metadata but no credentials:

Create or update your pipeline YAML file (e.g. azure-pipelines.yml):

Here's what the code does:

Run the pipeline. In the pipeline logs, you should see:

If workload identity federation is not available, you can use key-pair authentication. Store your credentials as Azure DevOps secret variables and pass them through environment variables.

First, add the following variables to your pipeline (under Pipelines > Library or directly in the pipeline):

Then configure the pipeline:

Password authentication is supported but not recommended for production CI/CD:

This section covers common issues you may encounter when setting up any of the three integrations.

Symptom: The workflow or pipeline fails when requesting an OIDC token.

GitHub Actions resolution:

GitLab CI/CD resolution:

Azure DevOps resolution:

Symptom: Snowflake rejects the OIDC token with a claim mismatch error.

Resolution: Verify the SUBJECT in your Snowflake service user matches the actual claims in the token. You can inspect the token by adding a debug step to your pipeline:

GitHub Actions:

GitLab CI/CD:

Common GitLab subject issues:

Azure DevOps:

Symptom: uv tool install snowflake-cli==X.Y.Z (GitHub) or pipx install snowflake-cli==X.Y.Z (Azure) fails with "no matching version".

Resolution:

Symptom: The ConfigureSnowflakeCLI@0 task fails with an error about pipx or PIPX_BIN_DIR.

Resolution: The ubuntu-latest agent image includes pipx by default. If you're using a custom agent image, install pipx before the task:

Symptom: The deploy job fails with snow: command not found.

Resolution: The Snowflake CLI is installed inside the configure-snowflake-cli job. If your subsequent jobs run in separate containers, the CLI will not be available. Options:

1. Use extends: .configure-snowflake-cli to inherit the job's configuration.
2. Install the CLI directly in your job using uv tool install snowflake-cli.

Congratulations! You've configured Snowflake CI/CD integrations that authenticate securely with OIDC — no long-lived secrets required.