Integrating CI/CD with Snowflake CLI

Snowflake CLI integrates popular CI/CD (continuous integration and continuous delivery) systems and frameworks, such as GitHub Actions (https://github.com/features/actions), to efficiently automate your Snowflake workflows for SQL, Snowpark, Native Apps, or Notebooks.

Note

Future releases will include support for Jenkins and Azure DevOps.

The following illustration shows a typical CI/CD workflow in Snowflake CLI.

Snowflake CI/CD workflow

CI/CD workflow steps

  1. Store: Configure a remote Git repository to manage your Snowflake files securely.

  2. Code: Develop your Snowflake code using an IDE or Snowsight, tailored to your preferences.

  3. Install: Install Snowflake CLI, and provision your preferred CI/CD provider, such as GitHub Actions.

  4. Deploy: Automate deployment by combining the Snowflake CLI with your selected CI/CD tool.

  5. Monitor: Track code and workflow performance in Snowflake using Snowflake Trail for real-time insights.

  6. Iterate: Apply small, frequent updates to your project for continuous improvement; smaller changes simplify management and rollback, if necessary.

CI/CD with GitHub Actions

A Snowflake CLI action is a GitHub action designed to integrate Snowflake CLI into CI/CD pipelines. It lets you automate execution of Snowflake CLI commands within your GitHub workflows.

Using Snowflake CLI actions

Snowflake CLI Github Actions streamlines the process of installing and using Snowflake CLI in your CI/CD workflows. The CLI is installed in an isolated way, ensuring that it won’t conflict with the dependencies of your project. It automatically sets up the input configuration file within the ~/.snowflake/ directory.

Input parameters

A Snowflake CLI action uses the following inputs from your Github workflow YAML file, such as <repo-name>/.github/workflows/my-workflow.yaml:

  • cli-version: The specified Snowflake CLI version, such as 3.6.0. If not provided, the latest version of the Snowflake CLI is used.

  • default-config-file-path: Path to the configuration file (config.toml) in your repository. The path must be relative to the root of the repository. The configuration file is not required when a temporary connection (-x option) is used.

Safely configure the action in your CI/CD workflow

To use a Github action, you must do the following:

  1. Generate a private key. For more information, see Key-pair authentication and key-pair rotation.

  2. Store the credentials, such as account, private key, and passphrase, in GitHub secrets. For more information, see GitHub Actions documentation (https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository).

Defining connections

You can define a GitHub action to connect to Snowflake with a temporary connection or with a connection defined in your configuration file. For more information about managing connections, see Managing Snowflake connections.

Use a temporary connection

For more information about temporary connections, see Use a temporary connection.

To set up your Snowflake credentials for a temporary connection, follow these steps:

  1. Map secrets to environment variables in your GitHub workflow, in the form SNOWFLAKE_<key>=<value>, as shown:

    env:
  SNOWFLAKE_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}
  SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
    Copy
  2. Configure the Snowflake CLI action.

    If you use the latest version of Snowflake CLI, you do not need to include the cli-version parameter. The following example instructs the action to use Snowflake CLI version 3.6.0 specifically:

    - uses: snowflakedb/snowflake-cli-action@v1.5
  with:
    cli-version: "3.6.0"
    Copy

#. Optional: If your private key is encrypted, to set up a passphrase, set the PRIVATE_KEY_PASSPHRASE environment variable to the private key passphrase. Snowflake uses this passphrase to decrypt the private key. For example:

- name: Execute Snowflake CLI command
  env:
    PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }}
Copy

To use a password instead of a private key, unset the SNOWFLAKE_AUTHENTICATOR environment variable, and add the SNOWFLAKE_PASSWORD variable, as follows:

- name: Execute Snowflake CLI command
  env:
    SNOWFLAKE_USER: ${{ secrets.SNOWFLAKE_USER }}
    SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
    SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}
Copy

Note

To enhance your experience when using a password and MFA, Snowflake recommends that you configure MFA caching.

For more information about setting Snowflake credentials in environment variables, see Use environment variables for Snowflake credentials, and for information about defining environment variables within your GitHub CI/CD workflow, see Defining environment variables for a single workflow (https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow).

  1. Add the snow commands you want to execute with the temporary connection, as shown:

    run: |
  snow --version
  snow connection test --temporary-connection
    Copy

The following example shows a completed sample <repo-name>/.github/workflows/my-workflow.yaml file:

name: deploy
on: [push]

jobs:
  version:
    name: "Check Snowflake CLI version"
    runs-on: ubuntu-latest
    steps:
      # Snowflake CLI installation
      - uses: snowflakedb/snowflake-cli-action@v1.5

        # Use the CLI
      - name: Execute Snowflake CLI command
        env:
          SNOWFLAKE_AUTHENTICATOR: SNOWFLAKE_JWT
          SNOWFLAKE_USER: ${{ secrets.SNOWFLAKE_USER }}
          SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
          SNOWFLAKE_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}
          PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} # Passphrase is only necessary if private key is encrypted.
        run: |
          snow --help
          snow connection test -x
Copy

After verifying that your action can connect to Snowflake successfully, you can add more Snowflake CLI commands like snow notebook create or snow git execute. For information about supported commands, see Snowflake CLI command reference.

Use a configuration file

For more information about defining connections, see Define connections.

To set up your Snowflake credentials for a specific connection, follow these steps:

  1. Create a config.toml file at the root of your Git repository with an empty configuration connection, as shown:

    default_connection_name = "myconnection"

[connections.myconnection]
    Copy

    This file serves as a template and should not contain actual credentials.

  2. Map secrets to environment variables in your GitHub workflow, in the form SNOWFLAKE_<key>=<value>, as shown:

    env:
  SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}
  SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
    Copy

#. Configure the Snowflake CLI action. If you use the latest version of Snowflake CLI, you do not need to include the cli-version parameter. The following example specifies a desired version and the name of your default configuration file:

- uses: snowflakedb/snowflake-cli-action@v1.5
  with:
    cli-version: "3.6.0"
    default-config-file-path: "config.toml"
Copy

#. Optional: If your private key is encrypted, to set up a passphrase, set the PRIVATE_KEY_PASSPHRASE environment variable to the private key passphrase. Snowflake uses this passphrase to decrypt the private key. For example:

- name: Execute Snowflake CLI command
  env:
    PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }}
Copy

To use a password instead of a private key, unset the SNOWFLAKE_AUTHENTICATOR environment variable, and add the SNOWFLAKE_PASSWORD variable, as follows:

- name: Execute Snowflake CLI command
  env:
    SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }}
    SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
    SNOWFLAKE_CONNECTIONS_MYCONNECTION_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}
Copy

Note

To enhance your experience when using a password and MFA, Snowflake recommends that you configure MFA caching.

  1. Add the snow commands you want to execute with a named connection, as shown:

    run: |
  snow --version
  snow connection test
    Copy

The following example shows a sample config.toml file in your Git repository and a completed sample <repo-name>/.github/workflows/my-workflow.yaml file:

  • Sample config.toml file:

    default_connection_name = "myconnection"

[connections.myconnection]
    Copy

  • Sample Git workflow file:

    name: deploy
on: [push]
jobs:
  version:
    name: "Check Snowflake CLI version"
    runs-on: ubuntu-latest
    steps:
      # Checkout step is necessary if you want to use a config file from your repo
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          persist-credentials: false

        # Snowflake CLI installation
      - uses: snowflakedb/snowflake-cli-action@v1.5
        with:
          default-config-file-path: "config.toml"

        # Use the CLI
      - name: Execute Snowflake CLI command
        env:
          SNOWFLAKE_CONNECTIONS_MYCONNECTION_AUTHENTICATOR: SNOWFLAKE_JWT
          SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }}
          SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
          SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}
          PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} #Passphrase is only necessary if private key is encrypted.
        run: |
          snow --help
          snow connection test
    Copy

After verifying that your action can connect to Snowflake successfully, you can add more Snowflake CLI commands like snow notebook create or snow git execute. For information about supported commands, see Snowflake CLI command reference.

Language: English