- v4.7.0(Jul 2,2026)
- Fixed
python-connector.lognot rotating on Windows, and every record being logged twice, when easy logging is enabled viaconfig.toml(SNOW-3680325).- Note: As part of this fix, easy logging no longer calls
logging.basicConfig()and therefore no longer configures the root logger.python-connector.lognow captures only thesnowflake.connector,botocore, andboto3.
- Note: As part of this fix, easy logging no longer calls
- Improved URL validation reliability by replacing the hand-rolled regex in
is_valid_url()withurllib.parse.urlparse(SNOW-3392651). - Fixed OAuth infinite loop when tokens expire by ensuring
reauthenticate()calls_request_tokens()directly instead of looping throughprepare(). Token cache is now read exactly once per connection, and_store_tokens()preserves macOS Keychain ACL by never callingremove(). The async OAuthreauthenticate()now runs the synchronous OAuth flow on a worker thread instead of blocking the event loop. - Fixed OAuth scope handling for Snowflake custom OAuth: when refresh tokens are enabled, the connector no longer appends the OIDC
offline_accessscope for token endpoints on*.snowflakecomputing.comor*.snowflakecomputing.cn, which causedinvalid_scopeerrors. Snowflake custom OAuth expectsrefresh_tokenin scope instead. External IdP behavior is unchanged. - Fixed input validation for
scalemetadata in Arrow result set processing forTIME,TIMESTAMP_NTZ,TIMESTAMP_LTZ, andTIMESTAMP_TZcolumns (SNOW-3388299). - Removed pandas upper bound dependency constraint on the
[pandas]extra to allow installation of pandas 3.0.0 and later. - Fixed S3 storage client to correctly handle 307/308 (method-preserving) and 301/302 (GET/HEAD only) redirects by disabling automatic redirect following and re-signing each request with AWS SigV4 credentials for the redirect target. The region is updated from the
x-amz-bucket-regionresponse header on each redirect. Redirects are capped at 5 hops. - Added native AKS (Azure Kubernetes Service) workload identity support. When running on AKS with workload identity configured, the connector automatically uses
WorkloadIdentityCredentialto authenticate via the injected service account credentials. OIDC backward compatibility is also supported. - Added the
workload_identity_aws_use_outbound_tokenconnection option (defaultfalse) to opt into AWS WIF JWT attestation via STSGetWebIdentityTokeninstead of the default SigV4GetCallerIdentitymethod. - Fixed a bug where a fully-qualified DDL statement (e.g.
CREATE VIEW db.schema.obj) on a session with no current schema would populate the connector's cached_schema/_databasefrom the referenced object's namespace. This madeget_current_schema()diverge from the server'sCURRENT_SCHEMA()and mis-qualified Snowpark temp objects (SNOW-3665226).
- Fixed