Note: Snowflake CLI Github Action is in Preview.
Streamlines installing and using Snowflake CLI in your CI/CD workflows. The CLI is installed in isolated way making sure it won't conflict with dependencies of your project. Automatically set up the input config file within the ~/.snowflake/ directory.
This actions enables automation of your Snowflake CLI tasks, such as deploying Native Apps or running Snowpark scripts within your Snowflake environment, etc.
The specified Snowflake CLI version. For example 2.2.0
. If not specified then latest version will be used.
Path to the configuration file (config.toml) in your repository. The path must be relative to root of repository.
To set up Snowflake credentials for a specific connection follow these steps.
-
Add
config.toml
to Your Repository:-
Create a
config.toml
file at the root of your repository with an empty connection configuration. For example:[connections] [connections.myconnection] user = ""
This file serves as a template and is preferable to not contain any actual credentials.
-
-
Generate a private key: Generate a key pair for you snowflake account following this user guide.
-
Store Credentials in GitHub Secrets:
- Store each credential (e.g., account, private key, passphrase) in GitHub Secrets. Refer to the GitHub Actions documentation for detailed instructions on how to create and manage secrets for your repository.
-
Map Secrets to Environment Variables:
-
Map each secret to an environment variable using the format
SNOWFLAKE_CONNECTIONS_<connection-name>_<key>=<value>
. This overrides the credentials defined inconfig.toml
. For example:env: SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }} SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
-
-
Configure the Snowflake CLI Action:
-
Add the
default-config-file-path
parameter to the Snowflake CLI action step in your workflow file. This specifies the path to yourconfig.toml
file. For example:- uses: Snowflake-Labs/snowflake-cli-action@v1 with: cli-version: "latest" default-config-file-path: ".\config.toml"
Replace
latest
with a specific version of Snowflake CLI action if needed. -
-
[Optional] Set up a passphrase if private key is encrypted:
-
Add an additional environment variable named
PRIVATE_KEY_PASSPHRASE
and set it to the private key passphrase. This passphrase will be used by Snowflake to decrypt the private key.- name: Execute Snowflake CLI command env: PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} run: | snow --version snow connection test
-
-
[Extra] Using password instead of private key:
-
Unset the environment variable
SNOWFLAKE_CONNECTIONS_MYCONNECTION_AUTHENTICATOR
and then add a new variable with the password as follows:env: SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }} SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }} SNOWFLAKE_CONNECTIONS_MYCONNECTION_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}
-
For more information in setting Snowflake credentials using environment variables, refer to the Snowflake CLI documentation. And the instructions on defining environment variables within your Github CI/CD workflow can be found here.
default_connection_name = "myconnection"
[connections]
[connections.myconnection]
user = ""
name: deploy
on: [push]
jobs:
version:
name: "Check Snowflake CLI version"
runs-on: ubuntu-latest
env:
SNOWFLAKE_CONNECTIONS_MYCONNECTION_AUTHENTICATOR: SNOWFLAKE_JWT
SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }}
SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}
steps:
# Checkout step is necessary if you want to use a config file from your repo
- name: Checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
# Snowflake CLI installation
- uses: Snowflake-Labs/snowflake-cli-action@v1.5
with:
cli-version: "latest"
default-config-file-path: "config.toml"
# Use the CLI
- name: Execute Snowflake CLI command
env:
PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} #Passphrase is only necessary if private key is encrypted.
run: |
snow --version
snow connection test