To connect to Snowflake, specify a valid connection string composed of key-value pairs separated by semicolons, i.e "<key1>=<value1>;<key2>=<value2>...".
Note: If the value contains semicolons (;), equal signs (=), or other characters that interfere with parsing,
surround it with double quotation marks (""). For example password="=;;;=dummy==password;;".
Note: Connections should not be shared across multiple threads.
For the full list of supported connection string properties, see the Connection Properties Reference at the bottom of this page.
using var conn = new SnowflakeDbConnection();
conn.ConnectionString = "account=testaccount;user=testuser;password=XXXXX;db=testdb;schema=testschema";
await conn.OpenAsync(cancellationToken);Beginning with version 2.0.18, the connector uses Microsoft DbConnectionStringBuilder to follow the .NET specification for escaping characters in connection strings.
Special characters in connection strings:
-
Single quote (
'):var connectionString = "account=testaccount;user=testuser;password=test'password;";
-
Double quote (
"):var connectionString = "account=testaccount;user=testuser;password=test\"password;";
-
Semicolon (
;):var connectionString = "account=testaccount;user=testuser;password=\"test;password\";";
-
Equal sign (
=):var connectionString = "account=testaccount;user=testuser;password=test=password;";
Note that prior to version 2.0.18, a double equal sign (
==) was required to escape=. This is no longer necessary.
Snowflake supports double-quoted identifiers for object property values (WAREHOUSE, DATABASE, SCHEMA, ROLE). The value is case-sensitive and allows special characters:
var connectionString = "account=testaccount;db=\"testDB\";";To include a " within the value, escape it with \"\":
var connectionString = "account=testaccount;db=\"\"\"test\"\"db\"\"\";";
// DATABASE => ""test"db""-
Key-pair authentication
After setting up key-pair authentication, specify the private key in one of the following ways:
-
Unencrypted private key file:
using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;authenticator=snowflake_jwt;user=testuser;private_key_file={pathToThePrivateKeyFile};db=testdb;schema=testschema"; await conn.OpenAsync(cancellationToken);
-
Encrypted private key file:
using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;authenticator=snowflake_jwt;user=testuser;private_key_file={pathToThePrivateKeyFile};private_key_pwd={passwordForDecryptingThePrivateKey};db=testdb;schema=testschema"; await conn.OpenAsync(cancellationToken);
-
Unencrypted private key read from a file:
var privateKeyContent = File.ReadAllText(pathToThePrivateKeyFile); using var conn = new SnowflakeDbConnection(); conn.ConnectionString = $"account=testaccount;authenticator=snowflake_jwt;user=testuser;private_key={privateKeyContent};db=testdb;schema=testschema"; await conn.OpenAsync(cancellationToken);
-
-
OAuth
After setting up OAuth, set
AUTHENTICATOR=oauthandTOKENto the OAuth token.using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;user=testuser;authenticator=oauth;token={oauthTokenValue};db=testdb;schema=testschema"; conn.Open();
-
OAuth Authorization Code Flow
Unlike simple OAuth, the driver communicates directly with the Identity Provider (Snowflake, Okta, etc.) to obtain tokens. A browser is opened for the authorization endpoint; after the user authenticates, the driver exchanges the authorization code for an access token.
Tokens are cached when
CLIENT_STORE_TEMPORARY_CREDENTIAL=true(default on Windows,falseon Mac/Linux), reducing repeated browser interactions.using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;user=testuser;db=testdb;schema=testschema;authenticator=oauth_authorization_code;oauthScope=testScope;oauthClientId=testClientId;oauthClientSecret=testClientSecret;oauthAuthorizationUrl=https://testauthorize.okta.com;oauthTokenRequestUrl=https://testtoken.okta.com;oauthRedirectUri=http://localhost:8001/snowflake/oauth-redirect"; await conn.OpenAsync(cancellationToken);
The client secret can also be provided as a secure property instead of in the connection string:
using var conn = new SnowflakeDbConnection("connection-string-without-client-secret"); conn.OAuthClientSecret = ...; // configure client secret here await conn.OpenAsync(cancellationToken);
Note: On Mac/Linux the browser is started via
open/xdg-open. Ensure the command is on yourPATH. -
OAuth Client Credentials Flow
Similar to OAuth Authorization Code Flow, but does not require human interaction or a token cache. The driver obtains an access token directly from the Identity Provider.
using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;user=testuser;db=testdb;schema=testschema;authenticator=oauth_client_credentials;oauthScope=testScope;oauthClientId=testClientId;oauthClientSecret=testClientSecret;oauthTokenRequestUrl=https://testtoken.okta.com;"; await conn.OpenAsync(cancellationToken);
The client secret can also be provided as a secure property:
using var conn = new SnowflakeDbConnection("connection-string-without-client-secret"); conn.OAuthClientSecret = ...; // configure client secret here await conn.OpenAsync(cancellationToken);
-
Programmatic Access Token
Generate a programmatic access token for your user and use it to authenticate.
using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;user=testuser;db=testdb;schema=testschema;authenticator=programmatic_access_token;token=testtoken"; await conn.OpenAsync(cancellationToken);
The token can also be provided as a secure property:
using var conn = new SnowflakeDbConnection("connection-string-without-token"); conn.Token = ...; // configure token here await conn.OpenAsync(cancellationToken);
-
Workload Identity Federation
Credentials are retrieved from the cloud platform where the application is running (AWS, Azure, GCP). The OIDC provider option allows supplying your own token.
// AWS using var connAws = new SnowflakeDbConnection("authenticator=workload_identity;workload_identity_provider=aws;account=test;"); // Azure (default entra resource) using var connAzure = new SnowflakeDbConnection("authenticator=workload_identity;workload_identity_provider=azure;account=test;"); // Azure (custom entra resource) using var connAzureCustom = new SnowflakeDbConnection("authenticator=workload_identity;workload_identity_provider=azure;workload_identity_entra_resource=api://fd3f753b-eed3-462c-b6a7-a4b5bb650aad;account=test;"); // GCP using var connGcp = new SnowflakeDbConnection("authenticator=workload_identity;workload_identity_provider=gcp;account=test;"); // OIDC (your own token) using var connOidc = new SnowflakeDbConnection("authenticator=workload_identity;workload_identity_provider=oidc;token=yourtoken;account=test;");
For Azure, the client ID can be set via the
MANAGED_IDENTITY_CLIENT_IDenvironment variable. -
Browser-based SSO
Set
AUTHENTICATOR=externalbrowser. Optionally setUSERto restrict authentication to a specific identity.using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;authenticator=externalbrowser;user={login_name_for_IdP};db=testdb;schema=testschema"; await conn.OpenAsync(cancellationToken);
Override the default browser timeout with
BROWSER_RESPONSE_TIMEOUT(in seconds).Note: On Mac/Linux the browser is started via
open/xdg-open. Ensure the command is on yourPATH. -
Native SSO through Okta
Set
AUTHENTICATORto the URL of your Okta account endpoint, andUSERto the login name for your IdP.using var conn = new SnowflakeDbConnection(); conn.ConnectionString = "account=testaccount;authenticator={okta_url_endpoint};user={login_name_for_IdP};db=testdb;schema=testschema"; await conn.OpenAsync(cancellationToken);
In v2.0.4 and later, the driver can connect through a proxy server:
using var conn = new SnowflakeDbConnection();
conn.ConnectionString = "account=testaccount;user=testuser;password=XXXXX;db=testdb;schema=testschema;useProxy=true;proxyHost=myproxyserver;proxyPort=8888;proxyUser=test;proxyPassword=test";
await conn.OpenAsync(cancellationToken);Use NONPROXYHOSTS to bypass the proxy for specific hosts. Values must match the full URL including scheme. Separate multiple patterns with |.
Examples:
*— bypass all hosts*.snowflakecomputing.com— bypass all Snowflake hostshttps:\\testaccount.snowflakecomputing.com— bypass a specific host*.myserver.com | *testaccount*— multiple patterns
Note: Patterns without a scheme or wildcard will not match.
myaccount.snowflakecomputing.comis not bypassed, but*myaccount.snowflakecomputing.comis.
Connection parameters can be defined in a connections.toml file. The driver looks for it in:
- The path in
SNOWFLAKE_HOMEenvironment variable ~/.snowflake/connections.toml(Mac/Linux) or%USERPROFILE%\.snowflake\connections.toml(Windows)
On Mac/Linux, the file must have restricted permissions:
chown $USER connections.toml
chmod 0600 connections.tomlExample connections.toml:
[myconnection]
account = "myaccount"
user = "jdoe"
password = "xyz1234"using var conn = new SnowflakeDbConnection();
await conn.OpenAsync(cancellationToken); // reads connection definition from configuration fileThe default connection name is default. Override it with the SNOWFLAKE_DEFAULT_CONNECTION_NAME environment variable:
set SNOWFLAKE_DEFAULT_CONNECTION_NAME=my_prod_connectionSpecial characters in TOML values:
- Single quote (
'):password = "fake\'password" - Double quote (
"):password = "fake\"password"- When combined with other characters requiring double-quote wrapping:
password = "\";fake\"\"password\""
- When combined with other characters requiring double-quote wrapping:
- Semicolon (
;):password = "\";fakepassword\"" - Equal sign (
=):password = "fake=password"
| Connection Property | Required | Comment |
|---|---|---|
| ACCOUNT | 🔴 Required | Your full account name might include additional segments that identify the region and cloud platform where your account is hosted |
| APPLICATION | 🟢 Optional | Snowflake partner use only: Specifies the name of a partner application to connect through .NET. The name must match the following pattern: ^[A-Za-z]([A-Za-z0-9.-]){1,50}$ (one letter followed by 1 to 50 letter, digit, .,- or, _ characters). |
| DB | 🟢 Optional | |
| HOST | 🟢 Optional | Specifies the hostname for your account in the following format: <ACCOUNT>.snowflakecomputing.com. If no value is specified, the driver uses <ACCOUNT>.snowflakecomputing.com. |
| PASSWORD | 🔶 Depends | Required if AUTHENTICATOR is set to snowflake (the default value) or the URL for native SSO through Okta. Ignored for all the other authentication types. |
| ROLE | 🟢 Optional | |
| SCHEMA | 🟢 Optional | |
| USER | 🔶 Depends | If AUTHENTICATOR is set to externalbrowser this is optional. For native SSO through Okta, set this to the login name for your identity provider (IdP). |
| WAREHOUSE | 🟢 Optional | |
| CONNECTION_TIMEOUT | 🟢 Optional | Total timeout in seconds when connecting to Snowflake. The default is 300 seconds |
| RETRY_TIMEOUT | 🟢 Optional | Total timeout in seconds for supported endpoints of retry policy. The default is 300 seconds. The value can only be increased from the default value or set to 0 for infinite timeout |
| MAXHTTPRETRIES | 🟢 Optional | Maximum number of times to retry failed HTTP requests (default: 7). Set to 0 to remove the retry limit (risks infinite retries). |
| CLIENT_SESSION_KEEP_ALIVE | 🟢 Optional | Whether to keep the current session active after a period of inactivity, or to force the user to login again. If the value is true, Snowflake keeps the session active indefinitely, even if there is no activity from the user. If the value is false, the user must log in again after four hours of inactivity. The default is false. Setting this value overrides the server session property for the current session. |
| BROWSER_RESPONSE_TIMEOUT | 🟢 Optional | Number to seconds to wait for authentication in an external browser (default: 120). |
| DISABLERETRY | 🟢 Optional | Set to true to prevent the driver from reconnecting automatically when the connection fails or drops. Default: false. |
| AUTHENTICATOR | 🟢 Optional | The method of authentication. Currently supports the following values: - snowflake (default): You must also set USER and PASSWORD. - the URL for native SSO through Okta: You must also set USER and PASSWORD. - externalbrowser: You can also set USER. - snowflake_jwt: You must also set PRIVATE_KEY_FILE or PRIVATE_KEY. - oauth: You must also set TOKEN. - oauth_authorization_code: when authorizing with Snowflake all the OAUTH prefixed parameters are optional, for external provider required are: OAUTHCLIENTID, OAUTHCLIENTSECRET, OAUTHSCOPE, OAUTHAUTHORIZATIONURL, OAUTHTOKENREQUESTURL, OAUTHREDIRECTURI - oauth_client_credentials: You must provide OAUTHCLIENTID, OAUTHCLIENTSECRET, OAUTHSCOPE, OAUTHTOKENREQUESTURL, OAUTHREDIRECTURI - programmatic_access_token: You must provide TOKEN parameter - workload_identity: you must provide WORKLOAD_IDENTITY_PROVIDER, mandatory is WORKLOAD_IDENTITY_ENTRA_RESOURCE for Azure and TOKEN for OIDC provider |
| VALIDATE_DEFAULT_PARAMETERS | 🟢 Optional | Whether DB, SCHEMA and WAREHOUSE should be verified when making connection. Default: true. |
| PRIVATE_KEY_FILE | 🔶 Depends | The path to the private key file to use for key-pair authentication. Must be used in combination with AUTHENTICATOR=snowflake_jwt |
| PRIVATE_KEY_PWD | 🟢 Optional | The passphrase to use for decrypting the private key, if the key is encrypted. |
| PRIVATE_KEY | 🔶 Depends | The private key to use for key-pair authentication. Must be used in combination with AUTHENTICATOR=snowflake_jwt. If the private key value includes any equal signs (=), make sure to replace each equal sign with two signs (==) to ensure that the connection string is parsed correctly. |
| TOKEN | 🔶 Depends | The OAuth token to use for OAuth authentication or Programmatic Access Token authentication or Workload Identity Federation for OIDC. Must be used in combination with AUTHENTICATOR=oauth or AUTHENTICATOR=programmatic_access_token or AUTHENTICATOR=workload_identity. |
| USEPROXY | 🟢 Optional | Set to true to use a proxy server. Default: false. |
| PROXYHOST | 🔶 Depends | The hostname of the proxy server. Required if USEPROXY is true. |
| PROXYPORT | 🔶 Depends | The port number of the proxy server. Required if USEPROXY is true. |
| PROXYUSER | 🟢 Optional | The username for authenticating to the proxy server. |
| PROXYPASSWORD | 🔶 Depends | The password for authenticating to the proxy server. Required if USEPROXY is true and PROXYUSER is set. |
| NONPROXYHOSTS | 🟢 Optional | Pipe-separated (|) list of hosts to bypass the proxy. Supports asterisk (*) wildcards. The value must match the full URL including scheme. |
| FILE_TRANSFER_MEMORY_THRESHOLD | 🟢 Optional | Maximum bytes to hold in memory for file encryption/decryption. If the file exceeds this size, a temporary file is used. Default: 1048576 (1 MB). |
| CLIENT_CONFIG_FILE | 🟢 Optional | Path to the client configuration JSON file for easy logging. |
| ALLOWUNDERSCORESINHOST | 🟢 Optional | Allow underscores in account names. Required for PrivateLink customers whose account names contain underscores. Default: false. |
| QUERY_TAG | 🟢 Optional | Tag applied to queries and SQL statements within the connection. Visible in QUERY_HISTORY output. Can also be set per-statement via SnowflakeDbCommand.QueryTag. |
| MAXPOOLSIZE | 🟢 Optional | Maximum number of connections in a pool. Default: 10. Cannot be lower than MINPOOLSIZE. |
| MINPOOLSIZE | 🟢 Optional | Minimum number of connections in a pool. Additional connections are created in the background. Default: 2. Cannot exceed MAXPOOLSIZE. |
| CHANGEDSESSION | 🟢 Optional | Behavior when a connection's session variables (schema, database, warehouse, role) are altered. Default: OriginalPool. |
| WAITINGFORIDLESESSIONTIMEOUT | 🟢 Optional | Timeout when waiting for an idle session in a full pool. Supports units: 1000ms, 15s, 2m (default unit: seconds). Default: 30s. Set to 0 for immediate failure. |
| EXPIRATIONTIMEOUT | 🟢 Optional | Maximum lifetime of a pooled connection. Supports units: 360000ms, 3600s, 60m (default unit: seconds). Default: 1 hour. Set to 0 for immediate expiration. |
| POOLINGENABLED | 🟢 Optional | Enable or disable connection pooling. Default: true. |
| DISABLE_SAML_URL_CHECK | 🟢 Optional | Skip SAML postback URL validation against the connection string host. Default: false. |
| CLIENT_STORE_TEMPORARY_CREDENTIAL | 🟢 Optional | Cache tokens for external browser or OAuth authorization code flow. Default: true. |
| PASSCODE | 🟢 Optional | Passcode from a 2FA application for Multi-Factor Authentication. |
| PASSCODEINPASSWORD | 🟢 Optional | Whether the MFA passcode is appended to the password. |
| OAUTHCLIENTID | 🔶 Depends | Client ID for OAuth flows. Required for OAuth Authorization Code Flow and OAuth Client Credentials Flow. Auto-filled with LOCAL_APPLICATION for Snowflake-provided OAuth when neither OAUTHCLIENTID nor OAUTHCLIENTSECRET are set. |
| OAUTHCLIENTSECRET | 🔶 Depends | Client secret for OAuth flows. Required for OAuth Authorization Code Flow and OAuth Client Credentials Flow. Auto-filled with LOCAL_APPLICATION for Snowflake-provided OAuth when neither OAUTHCLIENTID nor OAUTHCLIENTSECRET are set. |
| OAUTHSCOPE | 🔶 Depends | Requested scope for OAuth flows. If not provided, built from ROLE. |
| OAUTHAUTHORIZATIONURL | 🔶 Depends | Authorization endpoint URL for OAuth Authorization Code Flow. Required for non-Snowflake Identity Providers. |
| OAUTHTOKENREQUESTURL | 🔶 Depends | Token endpoint URL for OAuth flows. Required for OAuth Client Credentials Flow and non-Snowflake Identity Providers in Authorization Code Flow. |
| OAUTHREDIRECTURI | 🔶 Depends | Local endpoint the driver listens on for OAuth Authorization Code Flow. Required for non-Snowflake Identity Providers. |
| WORKLOAD_IDENTITY_PROVIDER | 🔶 Depends | Attestation provider for Workload Identity Federation: OIDC, AZURE, AWS, or GCP. Required when AUTHENTICATOR is workload_identity. |
| WORKLOAD_IDENTITY_ENTRA_RESOURCE | 🟢 Optional | Entra resource for Azure Workload Identity Federation. Default: api://fd3f753b-eed3-462c-b6a7-a4b5bb650aad. |
| WORKLOAD_IMPERSONATION_PATH | 🟢 Optional | Comma-separated identities for transitive service account impersonation. AWS and GCP only. For GCP: service account emails. For AWS: IAM role ARNs. Each identity needs permissions to impersonate the next. |
| OAUTHENABLESINGLEUSEREFRESHTOKENS | 🟢 Optional | Request single-use refresh tokens in OAuth Authorization Code Flow. Default: false. |
| CERTREVOCATIONCHECKMODE | 🟢 Optional | Certificate revocation check mode. Values: disabled (default), enabled, advisory, native. Advisory allows connections when CRL check encounters errors but blocks revoked certificates. Native uses System.Net.Http.HttpClientHandler. |
| ENABLECRLDISKCACHING | 🟢 Optional | Enable file-based CRL cache when driver CRL checks are active. Default: true. |
| ENABLECRLINMEMORYCACHING | 🟢 Optional | Enable in-memory CRL cache when driver CRL checks are active. Default: true. |
| ALLOWCERTIFICATESWITHOUTCRLURL | 🟢 Optional | Accept certificates without a CRL URL when driver CRL checks are active. Default: false. |
| CRLDOWNLOADTIMEOUT | 🟢 Optional | Timeout in seconds for downloading CRL files. Default: 10. |
| CRLDOWNLOADMAXSIZE | 🟢 Optional | Maximum size in bytes for CRL file downloads. Default: 209715200 (200 MB). |
| MINTLS | 🟢 Optional | Minimum TLS version. Values: TLS12 (default), TLS13. |
| MAXTLS | 🟢 Optional | Maximum TLS version. Values: TLS12, TLS13 (default). |
| SERVICE_POINT_CONNECTION_LIMIT | 🟢 Optional | Maximum connections for the ServicePoint object. Default: 20. Only the limit from the first connection string takes effect. |
| HONORSESSIONTIMEZONE | 🟢 Optional | When true, TIMESTAMP_LTZ values honor the session TIMEZONE parameter instead of the local machine timezone. Default: false. |
| ALLOW_NUMBER_OVERFLOW_AS_STRING | 🟢 Optional | When true, numeric values that overflow System.Decimal (e.g. NUMBER(38,0) values exceeding ~7.9×10²⁸) are returned as strings instead of throwing OverflowException. Default: false. |