Something big is coming to Liquibase OSS 5.0 — Learn more!
Blog Post

Snowflake Is Blocking Password Authentication: What OSS Liquibase Users Need to Know

July 30, 2025

See Liquibase in Action

Accelerate database changes, reduce failures, and enforce governance across your pipelines.

Watch a Demo

Table of contents

Key Points (TL;DR)

  • Starting November 1, 2025, Snowflake will block all password-only authentication
  • Liquibase OSS users relying on username/password must update their authentication
  • Liquibase OSS does not have built-in support key pair authentication for Snowflake
  • Pro users get built-in secure auth, credential vault support, and policy enforcement
  • Without action, your database automation may fail or break CI/CD

What’s Changing and Why It Matters

Snowflake is tightening platform security by removing single-factor password logins across all accounts beginning November 1, 2025. 

That means no more username/password for users, scripts, or automation. Going forward, Snowflake will require one of the following authentication methods:

  • Multi-factor authentication (MFA)
  • SSO via SAML 2.0
  • Key pair authentication (recommended for service accounts and automation)
  • Programmatic Access Tokens

For Liquibase Pro users, the Pro platform includes out-of-the-box drivers, integrations, SLAs, and access to support. The OSS solution takes more of a DIY approach so integrations, testing, and driver installation and management will fall to your team.


Challenge Liquibase Pro Solution
No built-in support for secure key pair authentication in OSS Pro supports secure, credential-less authentication methods, including Snowflake out-of-the-box OAUTH and key pair auth support
Disconnected or manual credential management Credential vault integration and policy enforcement ensures secure and compliant usage
Unclear audit trails for compliance Audit logging, change tracking, and access visibility for Snowflake deployments
Risk of failures in CI/CD pipelines Built-in test harness and proactive error detection reduce surprises during rollout

Why OSS Users Face More Risk

Liquibase OSS does not have built-in support for Snowflake key pair authentication. To adapt, you will need to:

  • Manually configure and manage credentials
  • Create custom JDBC strings
  • Securely store and rotate private keys
  • Manually test deployments in all environments

There is no built-in observability, no rollback safety net, and no policy guardrails.

With the deadline approaching, this manual path can be risky and time-consuming, especially in regulated or fast-paced environments.

If you’re using OSS Liquibase with Snowflake and don’t update your authentication method before the deadline, you risk serious disruption to your delivery pipelines, compliance posture, and operational stability.

Here’s what’s on the line:

CI/CD Failures

Any Liquibase job using username and password authentication will fail after Snowflake enforces the change.

Example:

url: jdbc:snowflake://abc123.snowflakecomputing.com/?user=myuser&password=mypass

After November 1, this connection string will trigger an error like:

SQL Error: User/password authentication is disabled.

If this hasn’t been replaced and tested with a supported method (like key pair auth or OAuth), your automated deployments will break, potentially at runtime, mid-release.

Unplanned Downtime

When authentication fails, Liquibase won’t apply database changes.

Scenario:

A Friday night deployment kicks off via GitHub Actions. Liquibase fails  and throws an error. The database isn’t updated. Users experience application errors, and on-call engineers scramble to diagnose the issue.

Security Exposure

Snowflake is deprecating password-only logins for a reason. Password-based access is insecure and difficult to manage. It’s often:

  • Hard-coded into config files
  • Shared between users or systems
  • Rarely rotated
  • Lacking audit trails

Continuing to rely on passwords violates Snowflake’s new policy and exposes your environment to unnecessary risk.

Audit and Compliance Failures

If you’re in a regulated industry, using OSS Liquibase with password-based auth puts you at risk of failing security audits. OSS does not include:

  • Credential vault integrations (e.g., HashiCorp Vault, AWS Secrets Manager)
  • Role-based policy enforcement
  • Change tracking or traceability tied to authentication events

Snowflake’s new policies demand modern, secure authentication and auditors will too.

Last-Minute Fire Drills

Teams that wait until the deadline may find themselves scrambling:

  • During Q4 code freezes
  • With limited internal support
  • Without time to properly test and document the migration

If your team isn’t already familiar with PKI management, OAuth flows, or JDBC setup, this transition can take more time than expected—and rushed rollouts are rarely smooth.

Bottom Line

These risks aren’t theoretical. Starting November 1, 2025, Snowflake will reject all password-only logins including those used in scripts, pipelines, and automated workflows.

If you haven’t migrated and tested a secure alternative by then, your deployments will fail. Your database changes won’t go through. And your team will be left scrambling to fix a problem that could’ve been avoided.

Your Snowflake Password Sunset Prep Checklist

Here’s how to get ahead of the change and avoid disruption.

1. Audit Your Authentication Usage

  • Identify all Snowflake connections in Liquibase jobs, scripts, and CI/CD tools
  • Check if any rely on username/password authentication

OSS users must do this manually. There is no built-in alerting for insecure auth.

2. Choose a Supported Authentication Method

Snowflake will only support:

  • Multi-factor authentication (MFA)
  • SSO via SAML 2.0
  • Key pair authentication (recommended for service accounts and automation)
  • Programmatic Access Tokens

Liquibase OSS requires custom setup to support key pair authentication.
Liquibase Pro includes secure key pair auth support out of the box.

3. Update and Test Your Configuration

  • Replace password-based JDBC values
  • Instructions available at: Snowflake PKI and OAuth Tutorial (this capability comes out-of-the-box with Liquibase Pro)
  • Run tests in all environments and CI/CD pipelines

Liquibase Pro simplifies this with secure configuration, rollback support, and deployment previews.

4. Plan for Compliance and Continuity

  • Create rollback and recovery plans
  • Document changes for audits
  • Monitor post-migration for any failures

Liquibase Pro includes built-in audit trails and change governance, reducing risk during the transition.

Want a Simpler, Safer Path?

With Liquibase Pro, teams can:

  • Use secure Snowflake key pair auth without custom scripts
  • Integrate with credential vaults such as HashiCorp Vault and AWS Secrets Manager
  • Enforce authentication and change policies across environments
  • Track, audit, and validate every change with full observability

Don’t Wait Until November 2025

The deadline might seem far off, but secure authentication takes time to implement, test, and scale, especially in large teams or regulated industries.

Avoid surprises. Avoid outages. Avoid last-minute scrambling.

→ Explore how Liquibase Pro simplifies Snowflake authentication

Contact us

FAQ: Snowflake Auth Sunset for Liquibase Users

Q: What exactly is Snowflake changing?
A: As of November 1, 2025, Snowflake will block all single-factor authentication using just a username and password. You must use key pair auth, OAuth 2.0, or SAML SSO.

Q: Will Liquibase OSS support Snowflake’s new authentication methods?
A: Not built-in. While it is possible to configure Snowflake key pair auth with OSS using manual steps, it requires custom scripting and ongoing maintenance.

Q: How does Liquibase Pro help?
A: Liquibase Pro offers built-in support for key pair authentication, integrates with credential vaults, and enforces policies for secure, governed delivery. It removes the manual burden from your team.

Q: What happens if I do nothing?
A: Any Liquibase process using username/password will fail to authenticate with Snowflake once the change goes into effect. That means your CI/CD pipeline could break without warning.

Q: When should I start planning?
A: Now. Even if you are not ready to implement today, auditing and selecting an auth strategy takes time. Give yourself months, not weeks, to prepare.

Q: What are the potential issues with running OSS after the change if I do nothing and how can Liquibase Pro help?

Issue: No built-in support for secure key pair authentication in OSS

Liquibase Pro Solution: Liquibase Pro supports secure, credential-less authentication methods, including Snowflake out-of-the-box OAUTH and key pair auth support

Issue: Disconnected or manual credential management

Liquibase Pro Solution: Credential vault integration and policy enforcement ensures secure and compliant usage

Issue: Unclear audit trails for compliance

Liquibase Pro Solution: Audit logging, change tracking, and access visibility for Snowflake deployments

Issue: Risk of failures in CI/CD pipelines

Liquibase Pro Solution: Built-in test harness and proactive error detection reduce surprises during rollout

Christine Meyers Callum
Christine Meyers Callum
Director, Product Marketing
Share on:

See Liquibase in Action

Accelerate database changes, reduce failures, and enforce governance across your pipelines.

Watch a Demo