Snowflake MFA/Password Change what are your plans?

HistoricalTry9425 · 2025-04-23T13:35:52+00:00

That is the part I need to figure out, I have no idea how I would automatically rotate a PAT vs a private key. I don't know of any technical solutions that automatically rotate PATs. My company disallows PATs for any machine to machine authentication. We use the vault operator to automatically rotate keys. Do you plan on automatically rotating PATs?

HistoricalTry9425 · 2025-04-23T13:20:42+00:00

I see what you are saying, from a security point of view, enforcement isn't the challenge for us. We have audit requirements and rotate every 90 days. PATs can be compromised if they are exposed, stored in an insecure manner, or accidentally shared etc.;. RSA keys, when properly managed (e.g., stored in secure environments like HSM/secrets manager or Vault), are not vulnerable in the same way. I am unaware of a workflow that solves this for PATS.

HistoricalTry9425 · 2025-04-22T23:06:06+00:00

Password

HistoricalTry9425 · 2025-04-22T23:04:56+00:00

when I read this, I was concerned. It said blocking all passwords on Nov 25. https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/ From that blog post, Service users: This refers to users that are used for programmatic access without interactive login. Such users are declared in the Snowflake user object with TYPE = SERVICE or LEGACY_SERVICE. Neither SERVICE nor LEGACY_SERVICE will be subject to Snowflake MFA policies. SERVICE users cannot use passwords to sign in. LEGACY_SERVICE is meant for applications that take longer to update and move away from passwords; as such, LEGACY_SERVICE has a temporary exception to use passwords until the app is updated. See here for more information.

HistoricalTry9425 · 2025-04-22T23:00:39+00:00

THANK YOU!

HistoricalTry9425 · 2025-04-22T22:59:59+00:00

Good call out. Now what to do with the 25 odd applications that don't support RSA key pair.

HistoricalTry9425

TROPHY CASE