Snowflake CLI release notes for 2026

This article contains the release notes for the Snowflake CLI, including the following when applicable:

  • Behavior changes
  • New features
  • Customer-facing bug fixes

See Snowflake CLI for documentation.

Version 3.17.0 (May 11, 2026)

New features and updates

  • The snow app command group now supports both Snowflake Native Apps (application and application package entities) and Snowflake Apps Deploy (snowflake-app entities). The entity type in snowflake.yml determines which flow is used, so shared subcommands such as bundle, deploy, validate, open, events, and teardown automatically select the correct behavior. The experimental hidden snow __app command group and the ENABLE_SNOWFLAKE_APPS feature flag have been removed.
  • Added the snow app setup command for initializing a snowflake.yml file for a Snowflake Apps Deploy project.
  • Added the snow connection generate-workload-identity-token command to generate a workload identity token for the current environment. Supports AWS, GCP, Azure, and OIDC providers via the --workload-identity-provider option or connection configuration.
  • Added the snow custom-image validate command to validate custom Docker images against configured rules (entrypoint, environment variables, Python packages, and dependency health). Supports an optional --scan-vulnerabilities flag to run Grype vulnerability scanning.
  • Added the snow dcm purge command to drop all the objects managed by the specified DCM Project. The project object itself is not dropped.
  • DCM manifest targets now validate the account_identifier and project_owner fields. The CLI checks these against the current session and prints a warning on mismatch: account_identifier is checked for all manifest-based commands, and project_owner is checked for snow dcm create.
  • Added the --secondary-roles option (and matching SNOWFLAKE_SECONDARY_ROLES environment variable and secondary_roles configuration key) to snow connection add and the global connection overrides. The value is forwarded to snowflake-connector-python and accepts ALL or NONE, so sessions can be pinned to the primary role without running USE SECONDARY ROLES.
  • Added the --force option to snow spcs service drop to allow dropping services that contain block storage volumes.
  • Significantly improved DCM file upload performance.
  • Updated snowflake-connector-python to version 4.4.0. The 4.x series introduced stricter permission checks. In future versions of Snowflake CLI, strict configuration file permissions will become mandatory. To test whether your files have the correct permissions, set SNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1 before running CLI commands.

Bug fixes

  • Fixed snow streamlit deploy failing with a collision error when a pages/*.py glob in additional_source_files overlaps with the automatically-included pages/ directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion.
  • Fixed the error message when the PRIVATE_KEY_PASSPHRASE environment variable is set to an empty string.
  • Fixed SELECT * output being corrupted when joined tables share column names. Duplicate column names are now disambiguated by appending a numeric suffix (for example, NAME, NAME_2).
  • Fixed snow connection generate-jwt and snow connection generate-workload-identity-token failing with Connection None is not configured when used with --temporary-connection.
  • Fixed duplicate LOGIN_HISTORY events (and OVERFLOW_FAILURE_EVENTS_ELIDED entries) previously emitted when a snow invocation was rejected by an authentication policy. The internal connection cache now remembers failed connect attempts and re-raises the original exception on subsequent accesses within the same process, instead of re-dialing Snowflake every time a command accesses the shared connection.
  • Fixed session/master token connections created from environment variables or named connection configuration not enabling token keep-alive settings. This could cause follow-up commands to fail with 251007: Session and master tokens invalid.

Version 3.16.0 (Mar 19, 2026)

New features and updates

  • Added support for DCM commands in preview.
  • Added the --in-account option to list commands (for example, snow object list, snow stage list). This option lists all objects of a given type in the account. Cannot be used together with the --in option.
  • Added the experimental command snow spcs service build-image to build container images using an SPCS service. The command uploads the local build context to a stage, executes a build job, and streams logs in real time until completion. This command is experimental and subject to change.
  • Added the --async option to the snow spcs service execute-job command to execute job services asynchronously without waiting for completion.
  • Added the --replicas option to the snow spcs service execute-job command to specify the number of job replicas to run.
  • Added the --dbt-version option to the snow dbt deploy and snow dbt execute commands. This option sets the dbt Core version on a dbt project object (snow dbt deploy command) or executes a dbt command on a specific dbt Core version without altering the dbt object (snow dbt execute commands).
  • All authenticators (including snowflake-jwt, username_password_mfa, and workload_identity) are now case-insensitive.
  • Changed how the fully qualified names for temporary stages are established for snow dbt deploy. The database and schema from the dbt project object’s fully qualified name now take precedence over those from the session.

Bug fixes

  • Fixed snow stage copy --recursive dropping database and schema qualifiers from fully qualified stage names, which caused the command to resolve stages against the connection’s default database instead of the one specified in the FQN.
  • Fixed snow streamlit deploy --prune failing with an incorrect stage path format for Streamlit entities using versioned deployment. The snow:// prefix is now correctly preserved through all stage path operations.
  • Fixed a bug with snow dbt deploy where the dbt project uploaded files first and updated project properties afterward. This could cause deploys to fail if, for example, the project lacked external access integrations and dependencies were specified.
  • Fixed the snow stage copy and snow stage put commands failing when a local directory path contains glob special characters (such as, square brackets in [id] or [slug]). The path is now escaped before glob expansion, so literal directory names are matched correctly.

Version 3.15.0 (Feb 03, 2026)

New features and updates

  • Added the --if-exists option to the snow object drop command and object-specific drop commands (for example, snow stage drop) to drop objects only if they exist, preventing errors when dropping non-existent objects.
  • Updated the project definition with supported Python versions aligned with snowflake-connector-python.

Bug fixes

  • Fixed git repository path parsing to allow quotes around both repository and branch names (such as @"example-repo"/branches/"feature/branch"/*).
  • Fixed external browser authentication (EXTERNALBROWSER) for headless systems.