Will the Snowflake DB connections continue to work from April after Snowflake's MFA policy changes?

rcGIS · ‎02-10-2025

Hello everyone,

We use Snowflake connections from ArcGIS Pro and ArcGIS Server (context). We currently use a Snowflake human user (username + passw). This also allows us to publish web layers to our ArcGIS Enterprise (context).

Snowflake is enforcing relevant security changes/requirements for users/accounts as presented here. When reviewing those changes, some will be already applied from April 2025: "Enable for all accounts the default authentication policy, with MFA enforced on password sign-ins for human users".

Will our DB connections continue to work from April 2025? Is anyone else facing the same potential issue and found a solution already?

---

Currently there are only two authentications types available to create a database connection file from ArcGIS Pro to Snowflake (User or browser-based SSO). Browser-based SSO is no alternative* for us. Key pair authentication might be a solution** for the future, but is not yet available within ArcGIS.

*This authentication method prompts you to provide credentials for authentication each time you connect. Do not use this method if you will publish web layers or use the data from this connection in geoprocessing models.

**Snowflake: "Note that these policies have no bearing on single sign-on users (using SAML or OAuth) or users using key-pair authentication."

With this information in mind, what are Esri's recommendations on the topic to avoid service interruptions (that the DB connections stop working)? Would switching to a Snowflake service user (instead of a human user) be a good workaround?

Thank you for your assistance,

Sarah_Hanson

Hi @rcGIS - Thank you for your post! You are correct that web layers published by reference to ArcGIS Enterprise from Snowflake using basic authentication with passwords will be impacted when MFA is enforced. We are excited to share that Snowflake's key-pair authentication will be supported in the next releases of ArcGIS Pro and ArcGIS Enterprise (3.5/11.5).

Would switching to a Snowflake service user (instead of a human user) be a good workaround? --> This is a great question. Setting the type to LEGACY_SERVICE appears to be one approach to prevent MFA and service disruption until November 2025.

Very soon, we will be publishing Knowledge Base articles that detail the recommended actions for customers as it relates to the enforcement of MFA.

View solution in original post

rcGIS

Related, I have just been informed thorugh ENH-000173235 that key pair authentication will be supported in ArcGIS Enterprise 11.5 and ArcGIS Pro 3.5.

Sarah_Hanson

Hi @rcGIS - Thank you for your post! You are correct that web layers published by reference to ArcGIS Enterprise from Snowflake using basic authentication with passwords will be impacted when MFA is enforced. We are excited to share that Snowflake's key-pair authentication will be supported in the next releases of ArcGIS Pro and ArcGIS Enterprise (3.5/11.5).

Would switching to a Snowflake service user (instead of a human user) be a good workaround? --> This is a great question. Setting the type to LEGACY_SERVICE appears to be one approach to prevent MFA and service disruption until November 2025.

Very soon, we will be publishing Knowledge Base articles that detail the recommended actions for customers as it relates to the enforcement of MFA.

rcGIS

Hello @Sarah_Hanson, many thanks for your response! It's good to see that key-pair authentication will be implemented in 11.5/3.5. We are happy to check those knowledge base articles once they are available.

rcGIS

I have just seen that the articles were published at the end of last week. Thanks!

MelissaJarman

@rcGIS I was checking back to update the links and see you have already found these!
Let us know if you have any questions about how to proceed. What are your plans moving forward? Are you moving to key-pair or will you explore using MFA when working in ArcGIS Pro?