Will the Snowflake DB connections continue to work from April after Snowflake's MFA policy changes?

rcGIS · ‎02-10-2025

Hello everyone,

We use Snowflake connections from ArcGIS Pro and ArcGIS Server (context). We currently use a Snowflake human user (username + passw). This also allows us to publish web layers to our ArcGIS Enterprise (context).

Snowflake is enforcing relevant security changes/requirements for users/accounts as presented here. When reviewing those changes, some will be already applied from April 2025: "Enable for all accounts the default authentication policy, with MFA enforced on password sign-ins for human users".

Will our DB connections continue to work from April 2025? Is anyone else facing the same potential issue and found a solution already?

---

Currently there are only two authentications types available to create a database connection file from ArcGIS Pro to Snowflake (User or browser-based SSO). Browser-based SSO is no alternative* for us. Key pair authentication might be a solution** for the future, but is not yet available within ArcGIS.

*This authentication method prompts you to provide credentials for authentication each time you connect. Do not use this method if you will publish web layers or use the data from this connection in geoprocessing models.

**Snowflake: "Note that these policies have no bearing on single sign-on users (using SAML or OAuth) or users using key-pair authentication."

With this information in mind, what are Esri's recommendations on the topic to avoid service interruptions (that the DB connections stop working)? Would switching to a Snowflake service user (instead of a human user) be a good workaround?

Thank you for your assistance,

Sarah_Hanson · ‎02-27-2025

Hi @rcGIS - Thank you for your post! You are correct that web layers published by reference to ArcGIS Enterprise from Snowflake using basic authentication with passwords will be impacted when MFA is enforced. We are excited to share that Snowflake's key-pair authentication will be supported in the next releases of ArcGIS Pro and ArcGIS Enterprise (3.5/11.5).

Would switching to a Snowflake service user (instead of a human user) be a good workaround? --> This is a great question. Setting the type to LEGACY_SERVICE appears to be one approach to prevent MFA and service disruption until November 2025.

Very soon, we will be publishing Knowledge Base articles that detail the recommended actions for customers as it relates to the enforcement of MFA.

View solution in original post

rcGIS · ‎02-27-2025

Related, I have just been informed thorugh ENH-000173235 that key pair authentication will be supported in ArcGIS Enterprise 11.5 and ArcGIS Pro 3.5.

Sarah_Hanson · ‎02-27-2025

Hi @rcGIS - Thank you for your post! You are correct that web layers published by reference to ArcGIS Enterprise from Snowflake using basic authentication with passwords will be impacted when MFA is enforced. We are excited to share that Snowflake's key-pair authentication will be supported in the next releases of ArcGIS Pro and ArcGIS Enterprise (3.5/11.5).

Would switching to a Snowflake service user (instead of a human user) be a good workaround? --> This is a great question. Setting the type to LEGACY_SERVICE appears to be one approach to prevent MFA and service disruption until November 2025.

Very soon, we will be publishing Knowledge Base articles that detail the recommended actions for customers as it relates to the enforcement of MFA.

rcGIS · ‎03-02-2025

Hello @Sarah_Hanson, many thanks for your response! It's good to see that key-pair authentication will be implemented in 11.5/3.5. We are happy to check those knowledge base articles once they are available.

Michael_Boschert

Hi Sarah,

Thank you for adding the key-pair authentication support—this is fantastic news! I truly appreciate your efforts in enhancing our security measures.

I wanted to inquire whether there are plans to implement support for encrypted key-pairs as well. This feature is a standard requirement in Germany based on the BSI guidelines, and it would be beneficial for our compliance and security needs.

Looking forward to your thoughts on this.

Best regards,
Michael

rcGIS · ‎03-10-2025

I have just seen that the articles were published at the end of last week. Thanks!

MelissaJarman · ‎03-10-2025

@rcGIS I was checking back to update the links and see you have already found these!
Let us know if you have any questions about how to proceed. What are your plans moving forward? Are you moving to key-pair or will you explore using MFA when working in ArcGIS Pro?

rcGIS · ‎03-30-2025

Hello @MelissaJarman, thanks for the follow-up!

We are at ArcGIS Enterprise 11.3, so a Snowflake LEGACY_SERVICE for web services seems our best option until November. And for our Desktop (e.g., ArcGIS Pro) connections, MFA might not be such an issue.

Although it was not the plan, we might have to upgrade to ArcGIS Enterprise 11.5 before November to benefit from key pair authentication.