snowflake datasource authentication : Portal

Need
This article is detailing the expected behavior of Snowflake data source authentication using private keys when connecting from Semarchy xDM.

Summarized Solution

How to actually configure a Snowflake data source in Semarchy, is detailed in our documentation.

The goal here is to help you determine which authentication is needed according to your URL type.

Detailed Solution

When using private key authentication with Snowflake, the connection behavior depends on the type of URL configured in the data source:

When the URL includes the region, for example: xyz.eu-west-1.snowflakecomputing.com

Snowflake considers this an internal route (used by native apps inside Snowflake).

In this context, only OAuth authentication is allowed.

Private key authentication is therefore rejected.

When the URL does not include the region, for example: xyz.snowflakecomputing.com

The connection is established through the external route, and private key authentication works correctly.

This is the expected behavior according to Snowflake.

How to identify both URLs?

You can list the internal and external URLs available for your account by running this query in Snowflake:

SELECT 
   t.VALUE:type::VARCHAR AS type, 
   t.VALUE:host::VARCHAR AS host, 
   t.VALUE:port AS port 
FROM TABLE(FLATTEN(input => PARSE_JSON(SYSTEM$ALLOWLIST()))) AS t;

Additional configuration:

If your account identifier contains underscores, the following parameter must be added to the JDB connection string:

allowUnderscoresInHost=true

This ensures the Snowflake driver accepts underscore in hostnames when using the region-free URL.

Snowflake - How to know which data source authentication pattern is needed? Print

NeedThis article is detailing the expected behavior of Snowflake data source authentication using private keys when connecting from Semarchy xDM.