![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![[DEALS] Mail Backup X Individual Edition: Lifetime Subscription (72% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Severance-inspired keyboard could cost up to $699 – have your say [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/Severance-inspired-keyboard-could-cost-up-to-699-%E2%80%93-have-your-say-Video.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google Home app fixes bug that repeatedly asked to ‘Set up Nest Cam features’ for Nest Hub Max [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2022/08/youtube-premium-music-nest-hub-max.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
[Snowflake's New Feature]Snowflake Programmatic Access Tokens: Easy Authentication for BI Tools like Tableau & Power BI
※This is the English translated version of the following article: https://dev.classmethod.jp/articles/snowflake-programmatic-access-tokens/ This is Sagara. Snowflake has released "Programmatic access tokens," an access token feature that can also be used in the password fields of tools like Tableau and Power BI. https://docs.snowflake.com/en/release-notes/2025/other/2025-04-30-programmatic-access-tokens I had a chance to try out this feature, so let me share the details. What are Programmatic access tokens? Programmatic access tokens are a feature, similar to those in other services, that allows you to issue access tokens for authentication from external tools. https://docs.snowflake.com/en/user-guide/programmatic-access-tokens However, the key advantages of these new Snowflake access tokens are: Can be issued even for TYPE=SERVICE users. Previously, TYPE=SERVICE users could only authenticate using methods like key pair authentication, which were honestly a bit cumbersome. You can authenticate from existing BI tools by entering the access token value in the password field. This should be helpful for those who were struggling with authentication methods for existing users from BI tools due to the recent MFA enforcement! The official documentation also mentions: You can also use a programmatic access token as a replacement for a password in the following:- Snowflake drivers.- Third-party applications that connect to Snowflake (such as Tableau and PowerBI). Trying it Out Create a TYPE=SERVICE User First, execute the following query to create a TYPE=SERVICE user. use role accountadmin; create user sagara_service type = service default_role = public; grant role sysadmin to user sagara_service; grant role public to user sagara_service; For more details about TYPE=SERVICE users, the following blog post might be helpful (Japanese): https://dev.classmethod.jp/articles/snowflake-user-type-property/ Configure Network Policy (Required for Default Settings) With the default settings, you cannot issue access tokens unless some network policy is applied to the user issuing the token. https://docs.snowflake.com/en/user-guide/programmatic-access-tokens#network-policy-requirements In this case, assuming I want to allow access only from specific IP addresses, I will execute the following query. use role accountadmin; create network policy if not exists sagara_service_ip_policy allowed_ip_list = ('xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy'); -- Replace with actual allowed IP addresses alter user sagara_service set network_policy = sagara_service_ip_policy; Issue an Access Token for the TYPE=SERVICE User Next, execute the following query to issue an access token. use role accountadmin; alter user if exists sagara_service add programmatic access token tableau_token days_to_expiry = 365 -- Set the access token's expiration period, maximum 365 days. role_restriction = 'PUBLIC'; -- Queries will be executed with the specified role. Note that the role name must be uppercase. Secondary roles are not used. The access token will then be displayed in the results pane, as shown in the figure below. Please note that it is only displayed at this time. Using it for Authentication from Tableau I will check if the issued access token can be used for authentication from Tableau. Enter the value of the token issued earlier into the password field. And it authenticated successfully! Even TYPE=SERVICE users can authenticate successfully by issuing an access token. By the way, since I specified PUBLIC for role_restriction when creating the access token, attempting to authenticate with the SYSADMIN role will result in an error. Bonus: Access Token Rotation As a bonus, I will also try rotating the access token following the documentation below. https://docs.snowflake.com/en/user-guide/programmatic-access-tokens#rotating-a-programmatic-access-token use role accountadmin; alter user if exists sagara_service rotate programmatic access token tableau_token expire_rotated_token_after_hours = 0; -- Setting for how many hours after rotation the existing token should be invalidated. Default is 24 hours. A new token will be issued as shown below. You can then use this new token for authentication. By the way, since I set expire_rotated_token_after_hours = 0, Tableau, which was using the pre-rotation access token, now shows an error. Conclusion Snowflake has released 'Programmatic access tokens,' which can be used in the password fields of tools like Tableau and Power BI, and I tried it out. I believe this will be helpful for those dealing with TYPE=SERVICE users or struggling with authentication methods for existing users from BI tools due to MFA enforcement! Please give it a try!
![[Snowflake's New Feature]Snowflake Programmatic Access Tokens: Easy Authentication for BI Tools like Tableau & Power BI](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frdq7hezq3lg7008rzi16.png)
※This is the English translated version of the following article:
https://dev.classmethod.jp/articles/snowflake-programmatic-access-tokens/
This is Sagara.
Snowflake has released "Programmatic access tokens," an access token feature that can also be used in the password fields of tools like Tableau and Power BI.
https://docs.snowflake.com/en/release-notes/2025/other/2025-04-30-programmatic-access-tokens
I had a chance to try out this feature, so let me share the details.
What are Programmatic access tokens?
Programmatic access tokens are a feature, similar to those in other services, that allows you to issue access tokens for authentication from external tools.
https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
However, the key advantages of these new Snowflake access tokens are:
- Can be issued even for
TYPE=SERVICEusers.- Previously,
TYPE=SERVICEusers could only authenticate using methods like key pair authentication, which were honestly a bit cumbersome.
- Previously,
- You can authenticate from existing BI tools by entering the access token value in the password field.
- This should be helpful for those who were struggling with authentication methods for existing users from BI tools due to the recent MFA enforcement!
- The official documentation also mentions:
You can also use a programmatic access token as a replacement for a password in the following:- Snowflake drivers.- Third-party applications that connect to Snowflake (such as Tableau and PowerBI).
Trying it Out
Create a TYPE=SERVICE User
First, execute the following query to create a TYPE=SERVICE user.
use role accountadmin;
create user sagara_service
type = service
default_role = public;
grant role sysadmin to user sagara_service;
grant role public to user sagara_service;
For more details about TYPE=SERVICE users, the following blog post might be helpful (Japanese):
https://dev.classmethod.jp/articles/snowflake-user-type-property/
Configure Network Policy (Required for Default Settings)
With the default settings, you cannot issue access tokens unless some network policy is applied to the user issuing the token.
https://docs.snowflake.com/en/user-guide/programmatic-access-tokens#network-policy-requirements
In this case, assuming I want to allow access only from specific IP addresses, I will execute the following query.
use role accountadmin;
create network policy if not exists sagara_service_ip_policy
allowed_ip_list = ('xxx.xxx.xxx.xxx', 'yyy.yyy.yyy.yyy'); -- Replace with actual allowed IP addresses
alter user sagara_service set network_policy = sagara_service_ip_policy;
Issue an Access Token for the TYPE=SERVICE User
Next, execute the following query to issue an access token.
use role accountadmin;
alter user if exists sagara_service add programmatic access token tableau_token
days_to_expiry = 365 -- Set the access token's expiration period, maximum 365 days.
role_restriction = 'PUBLIC'; -- Queries will be executed with the specified role. Note that the role name must be uppercase. Secondary roles are not used.
The access token will then be displayed in the results pane, as shown in the figure below. Please note that it is only displayed at this time.
Using it for Authentication from Tableau
I will check if the issued access token can be used for authentication from Tableau.
Enter the value of the token issued earlier into the password field.
And it authenticated successfully! Even TYPE=SERVICE users can authenticate successfully by issuing an access token.
By the way, since I specified PUBLIC for role_restriction when creating the access token, attempting to authenticate with the SYSADMIN role will result in an error.
Bonus: Access Token Rotation
As a bonus, I will also try rotating the access token following the documentation below.
use role accountadmin;
alter user if exists sagara_service
rotate programmatic access token tableau_token
expire_rotated_token_after_hours = 0; -- Setting for how many hours after rotation the existing token should be invalidated. Default is 24 hours.
A new token will be issued as shown below. You can then use this new token for authentication.
By the way, since I set expire_rotated_token_after_hours = 0, Tableau, which was using the pre-rotation access token, now shows an error.
Conclusion
Snowflake has released 'Programmatic access tokens,' which can be used in the password fields of tools like Tableau and Power BI, and I tried it out.
I believe this will be helpful for those dealing with TYPE=SERVICE users or struggling with authentication methods for existing users from BI tools due to MFA enforcement!
Please give it a try!
