Snowflake 身份验证概述¶

以下部分介绍用户和应用程序可用于访问 Snowflake 的身份验证方法。它们还提供了关键注意事项，以帮助您为用例选择最佳身份验证方法。

Choosing authentication for Snowsight¶

Snowsight is the user interface for Snowflake. This section provides an overview of the authentication methods that users can use to sign in to Snowsight, followed by a comparison of the methods.

Single sign-on (SSO)

With SSO for Snowsight, users authenticate with a third-party identity provider (IdP) rather than authenticating with Snowflake directly. When a user accesses Snowsight, the sign-in page includes an option to authenticate with the IdP instead of a Snowflake-managed password. The IdP confirms the user’s identity, and then sends a Security Assertion Markup Language (SAML) assertion to Snowflake. Because Snowflake and the IdP have a previously established relationship of trust, Snowflake accepts the assertion as proof of the user’s identity, and allows the user to access Snowsight.

Some organizations use the same IdP to provide an SSO experience for all of the organization’s applications. These organizations can simply add Snowflake as a new service provider (SP) to allow its employees to use the IdP to access Snowsight.

Username and password with multi-factor authentication (MFA)

Password authentication lets users access Snowsight by entering a string of characters that conform to the requirements enforced by a password policy. To strengthen the security of this authentication method, Snowflake requires MFA for all password users. With MFA, the user enters a password, and then uses a second factor of authentication to confirm their identity. For example, a user might use a passkey stored on their computer as the second factor of authentication.

The following table compares authentication methods that users can use to sign in to Snowsight:

应用程序身份验证方法概述

In this topic, application refers to anything that accesses Snowflake data programmatically rather than through the Snowsight user interface. This definition includes custom web applications, third-party multi-tenant applications, desktop applications, local scripts, and workloads in the cloud.

在讨论可用的身份验证方法时，本主题区分了两种类型的应用程序：

• An interactive application that interacts with a person and authenticates to Snowflake on behalf of that person; for example, a business intelligence (BI) tool that interacts with analysts.
• A service-to-service application that doesn’t interact with a person and has a dedicated authentication method for the service; for example, a CI/CD pipeline.

Workload identity federation (WIF)

工作负载身份联合是一种无密钥身份验证形式，因其利用云工作负载已有的短期凭证而具备高安全性。它不需要管理和轮换密钥。

When a workload is running on a cloud provider like AWS EC2, Microsoft Azure VMs, or Google Cloud VMs, workload identity federation lets the workload authenticate to Snowflake by using the cloud provider’s native identity mechanism. For example, a workload running on AWS EC2 can obtain an attestation — that is, proof of its identity — from an AWS Identity and Access Management (IAM) role that is associated with the workload. The workload’s driver obtains the attestation from the native identity mechanism and then sends it to Snowflake to authenticate the workload.

工作负载身份联合还支持 GitHub Actions 等第三方工作负载及在 Kubernetes 中运行的工作负载，通过兼容 OpenID Connect 的身份提供商 (IdP) 进行身份验证，此过程称为 OIDC 联合。Snowflake 接受由 IdP 生成的 ID 令牌，将其作为工作负载的身份凭证。

适合：

• 服务到服务应用程序

OAuth using Snowflake as the authorization server (Snowflake OAuth)

Snowflake OAuth provides the security of the OAuth 2.0 Authorization Framework (https://datatracker.ietf.org/doc/html/rfc6749). With Snowflake OAuth, Snowflake is both the authorization server that authenticates a Snowflake user and the resource server that accepts an access token from the client to access that user’s data. Snowflake OAuth lets the client use the authorization code grant type.

Because Snowflake is the authorization server, the user who is interacting with the application uses the Snowflake user interface to authenticate. You can configure Snowflake to authenticate the user with single sign-on (SSO) or a password. For information about the advantages and challenges of SSO and password authentication, see Choosing authentication for Snowsight.

适合：

• 交互式应用程序

OAuth using a third-party authorization server (External OAuth)

外部 OAuth 同样遵循 OAuth 2.0 的安全标准，但此时授权服务器由第三方 IdP（而非 Snowflake）担任。应用程序从第三方 IdP 获取访问令牌，随后将该令牌作为凭证访问 Snowflake 资源。

服务到服务应用程序可通过客户端凭据授权类型访问其自身的 Snowflake 数据。交互式应用程序可通过授权码授权类型，访问应用程序使用者的 Snowflake 数据。

适合：

• 交互式应用程序
• 服务到服务应用程序

Key-pair authentication

密钥对身份验证依赖于 加密密钥对：私钥和公钥。私钥由应用程序保密存储，公钥则与 Snowflake 用户对象关联。在身份验证过程中，应用程序发送其持有私钥的证明，Snowflake 通过验证该私钥是否与 Snowflake 用户关联的公钥匹配来响应验证请求。此身份验证方法无需传输或存储密码，从而降低了凭证被盗的风险。

适合：

• 交互式应用程序
• 服务到服务应用程序

Programmatic access tokens (PATs)

PAT 是一种有时限的凭证，允许应用程序在不使用密码的情况下完成身份验证。在 MFA 或其他更安全的身份验证方法无法使用的场景中，PAT 可作为单因素密码的直接替代方案。PAT 的安全性高于密码，因为它是短期有效的凭证，要求实施额外的安全措施，并且可限定为特定的访问控制角色。

适合：

• 交互式应用程序
• 服务到服务应用程序

为交互式应用程序选择身份验证

An interactive application is one that interacts with a person and authenticates to Snowflake on behalf of that person. The following table provides the advantages and challenges associated with authentication methods that you can use for interactive applications. For an overview of these authentication methods, see 应用程序身份验证方法概述.

为服务到服务应用程序选择身份验证

A service-to-service application doesn’t interact with a person and has a dedicated authentication method for the service. The following table provides the advantages and challenges associated with authentication methods that you can use for service-to-service applications. For an overview of these authentication methods, see 应用程序身份验证方法概述.