Tried connecting to Snowflake from an EC2 instance using ODBC driver with workload identity federation
Introduction
In the August 2025 update, Workload identity federation, a feature that enables more secure and simpler authentication from platforms such as AWS and Azure to Snowflake, became generally available.
This article summarizes my experience testing this feature.
Overview of the Update
Workload identity federation is a feature that allows workloads such as applications and services to connect to Snowflake using the cloud service's systems, such as IAM roles for AWS. This configuration eliminates the need to store and manage long-term credentials like passwords or key pairs.
Additionally, activity logs are recorded in both Snowflake and each cloud service, making it possible to verify from both sides.
To authenticate with this configuration, you create a service user (TYPE = SERVICE) for the target service on the Snowflake side. Also, when each workload (external service) connects to Snowflake, it uses the Snowflake driver.
Testing It Out
Here we'll use the ODBC driver to authenticate using Workload identity federation (referred to as WIF from here on).
Prerequisites
- ODBC driver must be version 3.11.0 or higher
I used the following environment:
- OS: Amazon Linux 2023
- Driver manager: unixODBC
- Driver installed using RPM package
- ODBC driver version: 3.11.0### Installing Snowflake ODBC Driver on EC2
First, I performed the driver package installation with the following steps.
#Update packages
sudo dnf upgrade --releasever=latest
#Check for updates after upgrading
sudo dnf check-upgrade --releasever=latest
# Install unixODBC
$ sudo dnf install -y unixODBC
# Replace gnupg2-minimal (installed by default on Amazon Linux 2023) with gnupg2-full
$ sudo dnf swap gnupg2-minimal gnupg2-full
# Verify package signature
$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 2A3149C82551A34A
gpg: key 2A3149C82551A34A: public key "Snowflake Computing (Snowflake Computing Gpg key) <snowflake_gpg@snowflake.net>" imported
gpg: Total number processed: 1
gpg: imported: 1
# Download the package
wget https://sfc-repo.snowflakecomputing.com/odbc/linux/3.11.0/snowflake-odbc-3.11.0.x86_64.rpm
Verify the signature of the RPM driver package.
$ gpg --list-keys
/home/ec2-user/.gnupg/pubring.kbx
---------------------------------
pub rsa4096 2024-09-16 [SC] [expires: 2026-09-16]
F46822FE012CC3FF371724F75A125630709DD64B
uid [ unknown] Snowflake Computing (Snowflake Computing Gpg key) <snowflake_gpg@snowflake.net>
sub rsa4096 2024-09-16 [E] [expires: 2026-09-16]
$ rpm -K snowflake-odbc-3.11.0.x86_64.rpm
snowflake-odbc-3.11.0.x86_64.rpm: digests SIGNATURES NOT OK
As mentioned in the documentation, if rpm doesn't have the imported GPG key, you'll see the output above, so I continued with the following:
# Export the GPG key
gpg --export -a 2A3149C82551A34A > odbc-signing-key.asc
# Import the GPG key to RPM
$ sudo rpm --import odbc-signing-key.asc
# Verify the RPM file signature again
$ rpm -K snowflake-odbc-3.11.0.x86_64.rpm
snowflake-odbc-3.11.0.x86_64.rpm: digests signatures OK
Install the driver.
$ sudo dnf install -y snowflake-odbc-3.11.0.x86_64.rpm
Last metadata expiration check: 0:10:45 ago on Fri Aug 22 04:46:28 2025.
Dependencies resolved.
=============================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================
Installing:
snowflake-odbc x86_64 3.11.0-1 @commandline 64 M
Transaction Summary
=============================================================================================================================================================================
Install 1 Package
Total size: 64 M
Installed size: 212 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : snowflake-odbc-3.11.0-1.x86_64 1/1
Running scriptlet: snowflake-odbc-3.11.0-1.x86_64 1/1
[WARN] SF_ACCOUNT is not set, please manually update the odbc.ini file after installation
Adding driver info to odbcinst.ini...
odbcinst: Driver installed. Usage count increased to 1.
Target directory is /etc
Adding connect info to odbc.ini...
odbcinst: Sections and Entries from stdin have been added to ODBC.INI
Adding Simba Snowflake ini...
Creating a symlink /usr/lib64/libodbccr.so.1...
Verifying : snowflake-odbc-3.11.0-1.x86_64 1/1
Installed:
snowflake-odbc-3.11.0-1.x86_64
Complete!
```Configure the driver. Execute the following and edit the `simba.snowflake.ini` file.
```bash
sudo vi /usr/lib64/snowflake/odbc/lib/simba.snowflake.ini
Referring to the documentation, we added the following content:
ODBCInstLib=/usr/lib64/libodbcinst.so.2
ANSIENCODING=UTF-8
Configure the DSN settings. When checking /etc/odbc.ini, it contains the following by default:
$ cat /etc/odbc.ini
[snowflake]
Description=SnowflakeDB
Driver=SnowflakeDSIIDriver
Locale=en-US
SERVER=SF_ACCOUNT.snowflakecomputing.com
PORT=443
SSL=on
ACCOUNT=SF_ACCOUNT
Modified /etc/odbc.ini and added the following content for test connection:
[snowflake_test]
Description=SnowflakeDB
Driver=SnowflakeDSIIDriver
Locale=en-US
SERVER=<organization>-<account>.snowflakecomputing.com
PORT=443
SSL=on
ACCOUNT=<organization>-<account>
With this configuration, the test connection worked successfully.
# Set environment variables
export SNOWSQL_USER="username"
export SNOWSQL_PWD="password"
# Connect to Snowflake
$ isql -v snowflake_test $SNOWSQL_USER $SNOWSQL_PWD
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL> select current_timestamp();
+------------------------------+
| CURRENT_TIMESTAMP() |
+------------------------------+
| 2025-08-22 05:12:31.892000000|
+------------------------------+
SQLRowCount returns 1
1 rows fetched
For more details on these procedures, please refer to:
https://docs.snowflake.com/en/developer-guide/odbc/odbc-linux### Workload identity federation configuration: AWS side
Now we'll configure WIF.
For AWS, you can use IAM roles. Since we're connecting from an EC2 instance, we just need to attach an IAM role to the instance.
Here, we created an IAM role (sf-workload-role) with the following trust relationship without setting any specific policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
We'll make note of the IAM role ARN as it's needed for Snowflake configuration.
arn:aws:iam::xxxxxxxxxxxx:role/sf-workload-role
Workload identity federation configuration: Snowflake side
We created a service user in Snowflake for authentication using WIF with the following content. The ARN specifies the IAM role ARN created in the previous step.
CREATE USER service_ec2_user
WORKLOAD_IDENTITY = (
TYPE = AWS
ARN = 'arn:aws:iam::xxxxxxxxxxxx:role/sf-workload-role'
)
TYPE = SERVICE
DEFAULT_ROLE = PUBLIC;
Workload identity federation configuration: Driver
With the above content, the configuration is almost complete. For the ODBC driver, we configure it to authenticate using WIF with the following steps. These steps are documented here:
Since we're using AWS (IAM role), we'll make the following settings:
- Set the
authenticatorconnection parameter toWORKLOAD_IDENTITY - Set the
workload_identity_providerconnection parameter toAWS
Edit the /etc/odbc.ini file to create a DSN with the above settings.
$ sudo vi /etc/odbc.ini
[snowflake_aws_wlif]
Description=Snowflake WLF for AWS
Driver=SnowflakeDSIIDriver
SERVER=<organization>-<account>.snowflakecomputing.com
PORT=443
SSL=on
ACCOUNT=<organization>-<account>
authenticator=WORKLOAD_IDENTITY
workload_identity_provider=AWS
```### Try to Connect
In this state, when trying to connect to the EC2 instance without an IAM role attached, the following error occurred:
```bash
# Connect to Snowflake
$ isql -v snowflake_aws_wlif
[S1000][unixODBC][Snowflake][Snowflake] (62)
Unable to obtain workload identity attestation. Make sure that correct workload identity provider has been set and that Snowflake ODBC driver runs on supported environment.
After associating the IAM role mentioned earlier, the connection worked properly and queries could be executed.
$ isql -v snowflake_aws_wlif
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL> select current_user();
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CURRENT_USER() |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| SERVICE_EC2_USER |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
SQLRowCount returns 1
1 rows fetched
```Checking the login history on Snowflake, I confirmed that the connection was made using WIF (Workload Identity Federation).
```sql
--Login history
select *
from table(information_schema.login_history())
order by event_timestamp desc;
+-------------------------------+-------------+------------+------------------+----------------+----------------------+-------------------------+-----------------------------+------------------------------+------------+------------+---------------+------------------+------------+------------------------+--------------------------------+---------------------------------+
| EVENT_TIMESTAMP | EVENT_ID | EVENT_TYPE | USER_NAME | CLIENT_IP | REPORTED_CLIENT_TYPE | REPORTED_CLIENT_VERSION | FIRST_AUTHENTICATION_FACTOR | SECOND_AUTHENTICATION_FACTOR | IS_SUCCESS | ERROR_CODE | ERROR_MESSAGE | RELATED_EVENT_ID | CONNECTION | CLIENT_PRIVATE_LINK_ID | FIRST_AUTHENTICATION_FACTOR_ID | SECOND_AUTHENTICATION_FACTOR_ID |
|-------------------------------+-------------+------------+------------------+----------------+----------------------+-------------------------+-----------------------------+------------------------------+------------+------------+---------------+------------------+------------+------------------------+--------------------------------+---------------------------------|
| 2025-08-22 14:47:35.319 +0900 | 11546574485 | LOGIN | SERVICE_EC2_USER | xx.xx.xx.xx | ODBC_DRIVER | 3.11.0 | WORKLOAD_IDENTITY | NULL | YES | NULL | NULL | NULL | NULL | NULL | 1 | NULL |
+-------------------------------+-------------+------------+------------------+----------------+----------------------+-------------------------+-----------------------------+------------------------------+------------+------------+---------------+------------------+------------+------------------------+--------------------------------+---------------------------------+
```## In Conclusion
I tried authentication using workload identity federation.
In the case of IAM roles, the configuration steps are simple, and you can connect to Snowflake from a workload (in this case, an EC2 instance on AWS). Since there is no need to manage passwords or key pairs, I think this is a feature I would definitely like to use whenever possible.
I hope this information can be of some reference to you.
![[レポート]SNOWFLAKE WORLD TOUR 2025 - TOKYO:Day1 KEYNOTE #SWTTokyo25](https://images.ctfassets.net/ct0aopd36mqt/4c23cKcRWSfL7fbZjZSEYa/9a2f285542f7937bedd49a78ad421a45/eyecatch_snowflakeworldtourtokyo2025_1200x630.png)
