ODBC Configuration and Connection Parameters

The Snowflake ODBC driver utilizes both configuration and connection parameters. The methods for setting the parameters are different depending on the environment in which the driver is installed.

In this Topic:

Setting Parameters in Windows

In Windows:

  • Configuration parameters are set in the Windows registry using regedit and the following registry path:

  • Connection parameters are set in Data Source Names (DSNs):

    • DSNs are typically created and edited using the Windows Data Source Administration tool.

    • If you wish, the registry keys for DSNs can be edited directly in the Windows registry using regedit. The registry path to the keys is different depending on whether you’re using 64-bit and 32-bit Windows and whether you’re editing a user or system DSN:

      • 64-bit Windows:

      • 32-bit Windows:


      To add a connection parameter using regedit, add a new String Value, double-click on the value you created, then enter the ODBC parameter as the Value name and the parameter value as the Value data.

Setting Parameters in macOS or Linux

In macOS or Linux:

  • Configuration parameters are set in the configuration file (simba.snowflake.ini).

  • Connection parameters are set in the DSN file (odbc.ini).

Configuration Parameters


Specifies the level of detail logged for clients that use the ODBC driver:

0 = Off
1 = Fatal
2 = Error
3 = Warning
4 = Info
5 = Debug
6 = Trace

Specifies the location of the Snowflake log files for clients that use the ODBC driver.


Set to true to enable cURL verbose logging. The log file snowflake_odbc_curl.dmp is created and updated. The Snowflake ODBC driver uses cURL as the HTTP and SSL library. This parameter is useful for diagnosing network issues.


Specifies a proxy server in the form of <host>:<port> for clients that use the ODBC driver.


In Windows, entries for LogLevel and LogPath are created and populated with default values when the ODBC driver is installed; however, an entry for Proxy is not created during install. To specify a proxy to use with the driver, you must manually add the entry to the driver registry key.

To bypass the proxy for one or more IP addresses or URLs, add the following configuration parameter:


Specifies the hostname patterns to bypass the proxy server, e.g. no_proxy=.amazonaws.com to bypass AWS S3 access.


The Snowflake ODBC driver passes the NoProxy value to the curl option CURLOPT_NOPROXY. The format of the NoProxy value can be found here.


Set the location of the Certificate Authority (CA) bundle file. Must reference a file that includes a valid list of CA certificates.

For Linux, the RPM and DEB installers automatically copy the file and set this parameter.

For Mac, the PKG installer copies the file and sets this parameter.

For Windows, the MSI installer copies the file and sets this parameter.

A manual installation requires you to download the file from https://curl.haxx.se/docs/caextract.html and set the location of the file.


Set to true to disable the TLS/SSL certificate revocation status check by the Online Certificate Status Protocol (OCSP). In normal circumstances, this flag should not set. But if the OCSP availability problem persists, the application may temporarily set this parameter in order to unblock connectivity issues and remove it when the OCSP availability problem is addressed.


Determines how leading or trailing zeros in numbers formatted as string values are handled. By default, the parameter is set to true, which means the driver retains any leading or trailing zeros. Set the parameter to false to remove leading or trailing zeros, e.g.:

  • 0.23 is changed to .23

  • 7.00 is changed to 7

Connection Parameters

Required Connection Parameters

<name> (Data Source)

Specifies the name of your DSN.

uid (User)

Specifies the login name of the Snowflake user to authenticate.

pwd (Password)

A password is required to connect to Snowflake; however, for security and authentication reasons, Snowflake strongly discourages storing password credentials directly within any DSN definition.

Typically, the credentials are passed to the driver programmatically by the client application that is attempting to connect to Snowflake.


In Windows, the ODBC driver displays a Password field in the Data Source Administration tool; however, the driver does not store any values entered in the field. Instead, the driver requires login credentials to be provided at connection time.

server (Server)

Specifies the full hostname for your account. A hostname for a Snowflake account starts with a unique account name (provided by Snowflake) and ends with snowflakecomputing.com.

Depending on the cloud platform (AWS or Azure) and region where your account is hosted, the full account name may require additional segments:

Account name and hostname details

Structure of Snowflake account hostnames

For example, if your account name is xy12345:

Snowflake Region

Full Account Name


US West (Oregon)


US East (N. Virginia)


Canada (Central)


EU (Ireland)


EU (Frankfurt)


Asia Pacific (Singapore)


Asia Pacific (Sydney)



East US 2


US Gov Virginia


Canada Central


West Europe


Australia East


Southeast Asia



If either of the following conditions is true, your account name is different than the structure described above:

  • If your Snowflake Edition is VPS, please contact Snowflake Support for your account name details.

  • If AWS PrivateLink is enabled for your account, your account name requires an additional privatelink segment. For more details, see AWS PrivateLink & Snowflake.

For more details about regions and platforms, see Supported Regions and Supported Cloud Platforms.

port (Port)

Specifies the port on which the driver listens for Snowflake communication.


You do not need to change the default Port value of 443.

Optional Connection Parameters

database (Database)

Specifies the default database to use for sessions initiated by the driver.

schema (Schema)

Specifies the default schema to use for sessions initiated by the driver.

Default is public.

warehouse (Warehouse)

Specifies the default warehouse to use for sessions initiated by the driver.

role (Role)

Specifies the default role to use for sessions initiated by the driver. The specified role should be a role that has been assigned to the specified user for the driver. If the specified role does not match any of the roles assigned to the user, sessions initiated by the driver have no role initially; however, a role can always be specified from within the session.

tracing (Tracing)

The level of detail to be logged in the driver trace files:

0 = Disable tracing

1 = Fatal only error tracing

2 = Error tracing

3 = Warning tracing

4 = Info tracing

5 = Debug tracing

6 = Detailed tracing

Additional Connection Parameters


In Windows, these additional connection parameters can only be set in the Windows Registry using regedit.

In macOS or Linux, they are set in the odbc.ini file, similar to the rest of the connection parameters.


Snowflake partner use only: Specifies the name of a partner application to connect through ODBC.


Specifies the authenticator to use for verifying user login credentials:

  • snowflake (Default) to use the internal Snowflake authenticator.

  • externalbrowser to authenticate using your web browser and Okta, ADFS, or any other SAML 2.0-compliant identify provider (IdP) that has been defined for your account.

  • https://<your_okta_account_name>.okta.com (i.e. the URL endpoint for Okta) to authenticate through native Okta (only supported if your IdP is Okta).

Default is snowflake.


The externalbrowser authenticator is only supported in terminal windows that have web browser access. For example, a terminal window on a remote machine accessed through a SSH (Secure Shell) session may require additional setup to open a web browser.

If you don’t have access to a web browser, but your IdP is Okta, you can use native Okta (i.e. set the authenticator to https://<your_okta_account_name>.okta.com).

For more information, see Managing/Using Federated Authentication.


Specifies whether to keep the current session active after a period of inactivity, or to force the user to login again. If the value is true, Snowflake keeps the session active indefinitely, even if there is no activity from the user. If the value is false, the user must log in again after four hours of inactivity.

  • true specifies to keep the session active indefinitely.

  • false specifies to log out after four hours of inactivity.

Default is false.


Specifies the passcode to use for multi-factor authentication.

For more information about multi-factor authentication, see Multi-Factor Authentication (MFA).


Specifies whether the passcode for multi-factor authentication is appended to the password:

  • on (or true) specifies the passcode is appended.

  • off (or false) or any other value specifies the passcode is not appended.

The default value is off.


Specifies how long to wait for a response when connecting to the Snowflake service before returning a login failure error.

Default is 60 seconds.


Specifies how long to wait for a response when interacting with the Snowflake service before returning an error. Zero (0) indicates no network timeout is set.

Default is 0 seconds.


Specifies how long to wait for a query to complete before returning an error. Zero (0) indicates to wait indefinitely.

Default is 0 seconds.


Specifies the proxy server URL in the format http://<hostname>:<port>/ or <hostname>:<port_number> so that all communications from ODBC use the proxy server.


This parameter is applied to the process. If another connection shares the same process, the proxy setting must be identical or the behavior is not predictable.


Specifies the hostname patterns to bypass the proxy server, e.g. no_proxy=.amazonaws.com to bypass AWS S3 access.


This parameter is applied to the process. If another connection shares the same process, the proxy setting must be identical or the behavior is not predictable.

Verifying the Network Connection to Snowflake with SnowCD

After configuring your driver, you can evaluate and troubleshoot your network connectivity to Snowflake by using the Snowflake Connectivity Diagnostic Tool (SnowCD).

You can use SnowCD during the initial configuration process and on-demand at any time to evaluate and troubleshoot your network connection to Snowflake.

Connecting Through a Proxy Server

The instructions for configuring a proxy server connection depend on your operating system and driver version:

Operating System

Driver Version

Supported Instructions


2.16.0 (released May 3, 2018) or higher

2.13.18 (released February 7, 2018) - 2.15.0 (released April 30, 2018)

Using Environment Variables

2.13.17 or lower

Using Configuration Parameters


2.16.0 (released May 3, 2018) or higher

2.14.0 (released March 28, 2018) - 2.15.0 (released April 30, 2018)

Using Environment Variables

2.13.21 or lower

Using Configuration Parameters


2.16.0 (released May 3, 2018) or higher

2.15.0 (released April 30, 2018)

Using Environment Variables

2.14.0 or lower

Using Configuration Parameters


The latest versions of ODBC driver, indicated above, support any of the listed configuration options. The options are listed in the order of precedence. If more than one option is defined, the setting with the highest precedence is applied.

Using Connection Parameters

To connect through a proxy server, add the following connection parameters to the DSN:

  • proxy

  • no_proxy

For example:

Description = SnowflakeDB
Driver      = SnowflakeDSIIDriver
Locale      = en-US
server      = account.snowflakecomputing.com
proxy       = http://proxyserver.company:80
no_proxy    = .amazonaws.com

See Connection Parameters for parameter descriptions.

Using Configuration Parameters


These parameters are obsoleted (i.e. no longer supported) in recent ODBC driver versions. See the table of supported options in Connecting Through a Proxy Server. As you upgrade your driver, configure your proxy server settings using the environment variables or connection parameters.

To connect through a proxy server, add the following configuration parameters:

  • Proxy

  • NoProxy

See Configuration Parameters for parameter descriptions.

Using Environment Variables

To connect through a proxy server, configure the following environment variables:

  • http_proxy

  • https_proxy

  • no_proxy


These environment variables are case-sensitive for Linux and macOS, and must be set in lowercase. For Windows, the environment variables are case-insensitive.

For example:

  • Linux or macOS:

    export http_proxy=http://proxyserver.company.com:80
    export https_proxy=http://proxyserver.company.com:80

    If the proxy server requires a user name and password, include the credentials, e.g.:

    export https_proxy=http://username:password@proxyserver.company.com:80
  • Windows:

    set http_proxy=http://proxyserver.company.com:80
    set https_proxy=http://proxyserver.company.com:80

    If the proxy server requires a user name and password, include the credentials, e.g.:

    set https_proxy=http://username:password@proxyserver.company.com:80

Optionally, you can set no_proxy to bypass the proxy for specific communications, e.g. no_proxy=.amazonaws.com to bypass AWS S3 access.

Using Key Pair Authentication

Snowflake supports using key pair authentication rather than the typical username/password authentication. This authentication method requires a 2048-bit (minimum) RSA key pair. Generate the public-private key pair using OpenSSL. The public key is assigned to the Snowflake user who will use the Snowflake client.


Snowflake recommends using a long and complex password based on PCI DSS standards to protect the locally generated private key.

Follow these steps to generate a long and complex password based on PCI DSS standards:

  1. Access the PCI Security Standards Document Library.

  2. For PCI DSS, select the most recent version and your desired language.

  3. Complete the form to access the document.

  4. Search for Passwords/passphrases must meet the following: and follow the recommendations for password/passphrase requirements, testing, and guidance.

  • Depending on the document version, you will likely find this phrase in a section called Requirement 8: Identify and authenticate access to system components (or similar name).

To configure the public/private key pair:

  1. From the command line in a terminal window, generate a private key.

    You can generate either an encrypted version of the private key or an unencrypted version of the private key.

    To generate an unencrypted version, use the following command:

    $ openssl genrsa -out rsa_key.pem 2048

    To generate an encrypted version, use the following command:

    $ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

    It is typically safer to generate an encrypted version.

    If you use the second command to encrypt the private key, then OpenSSL prompts for a passphrase used to encrypt the private key file. We recommend using a strong passphrase to protect the private key. Record this passphrase in a secure location. You will input it when connecting to Snowflake. Note that the passphrase is only used for protecting the private key and will never be sent to Snowflake.

    Sample PEM private key

  2. From the command line, generate the public key by referencing the private key:

    Assuming the private key is encrypted and contained in the file named “rsa_key.p8”, use the following command:

    $ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

    Sample PEM public key

    -----BEGIN PUBLIC KEY-----
    -----END PUBLIC KEY-----
  3. Copy the public and private key files to a local directory for storage. Record the path to the files. Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step; however, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.

  4. Assign the public key to the Snowflake user using ALTER USER. For example:



    • Only security administrators (i.e. users with the SECURITYADMIN role) or higher can alter a user.

    • Exclude the public key header and footer in the SQL statement.

    Verify the user’s public key fingerprint using DESCRIBE USER:

    DESC USER jsmith;
    | property                      | value                                               | default | description                                                                   |
    | NAME                          | JSMITH                                              | null    | Name                                                                          |
    | RSA_PUBLIC_KEY_FP             | SHA256:nvnONUsfiuycCLMXIEWG4eTp4FjhVUZQUQbNpbSHXiA= | null    | Fingerprint of user's RSA public key.                                         |
    | RSA_PUBLIC_KEY_2_FP           | null                                                | null    | Fingerprint of user's second RSA public key.                                  |


    The RSA_PUBLIC_KEY_2_FP property is described in Key Rotation (in this topic).

  5. Modify the data source (DSN) entries for the driver. For information about the DSN entries, see the appropriate topic for your operating system:

    Add the following (case-sensitive) parameters:


    Specifies to authenticate the Snowflake connection using keypair-based authentication with JSON Web Token (JWT).

    JWT_TIME_OUT = integer

    Optional. Specifies the length of time Snowflake waits to receive the JWT (in seconds) before timing out. If that happens, authentication fails and the driver returns an Invalid JWT token error. To resolve repeated occurrences of the error, increase the parameter value. Default: 30

    PRIV_KEY_FILE = path/rsa_key.p8

    Specifies the local path to the private key file you created (i.e. rsa_key.p8).

    PRIV_KEY_FILE_PWD = <password>

    Specifies the passcode to decode the private key file.

  6. Save the settings.

Key Rotation

Snowflake supports multiple active keys to allow for uninterrupted rotation. Rotate and replace your public and private keys based on the expiration schedule you follow internally.

Currently, you can use the RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 parameters for ALTER USER to associate up to 2 public keys with a single user.

To rotate your keys:

  1. Complete the steps in Using Key Pair Authentication to:

    • Generate a new private and public key set.

    • Assign the public key to the user. Set the public key value to either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2 (whichever key value is not currently in use). For example:

      alter user jsmith set rsa_public_key_2='JERUEHtcve...';
  2. Update the code to connect to Snowflake. Specify the new private key.

    Snowflake verifies the correct active public key for authentication based on the private key submitted with your connection information.

  3. Remove the old public key from the user profile. For example:

    alter user jsmith unset rsa_public_key;

Verifying the OCSP Connector or Driver Version

Snowflake uses OCSP to evaluate the certificate chain when making a connection to Snowflake. The driver or connector version and its configuration both determine the OCSP behavior. For more information about the driver or connector version, their configuration, and OCSP behavior, see OCSP Client & Driver Configuration.

OCSP Response Cache Server


The OCSP response cache server is currently supported by the Snowflake ODBC Driver 2.15.0 and higher.

Snowflake clients initiate every connection to a Snowflake service endpoint with a “handshake” that establishes a secure connection before actually transferring data. As part of the handshake, a client authenticates the TLS/SSL certificate for the service endpoint. The revocation status of the certificate is checked by sending a client certificate request to one of the OCSP (Online Certificate Status Protocol) servers for the CA (certificate authority).

A connection failure occurs when the response from the OCSP server is delayed beyond a reasonable time. The following caches persist the revocation status, helping alleviate these issues:

  • Memory cache, which persists for the life of the process.

  • File cache, which persists until the cache directory (e.g. ~/.cache/snowflake or ~/.snowsql/ocsp_response_cache) is purged.

  • Snowflake OCSP response cache server, which fetches OCSP responses from the CA’s OCSP servers hourly and stores them for 24 hours. Clients can then request the validation status of a given Snowflake certificate from this server cache.


    If your server policy denies access to most or all external IP addresses and web sites, you must whitelist the cache server address to allow normal service operation. The cache server hostname is ocsp*.snowflakecomputing.com:80.

    If you need to disable the cache server for any reason, set the SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED environment variable to false. Note that the value is case-sensitive and must be in lowercase.

If none of the cache layers contain the OCSP response, the client then attempts to fetch the validation status directly from the OCSP server for the CA.