What causes CUSTOMER_MANAGED_KEY_NOT_FOUND?

The KMS key or Azure Key Vault key was deleted, disabled, or had its rotation policy changed. The IAM policy or Key Vault access policy no longer grants Snowflake the required decrypt/unwrap permission. The key was rotated manually without completing the Snowflake Tri-Secret Secure re-encryption process. Cross-region or cross-account key access was revoked by a cloud admin

How do I fix CUSTOMER_MANAGED_KEY_NOT_FOUND?

Step 1: Confirm the KMS key or Key Vault key exists and is in Enabled status in your cloud provider console.. Step 2: Verify the IAM policy (AWS) or access policy (Azure) still grants the Snowflake service principal kms:Decrypt and kms:GenerateDataKey permissions.. Step 3: Do NOT delete the key — this results in permanent data loss. Contact Snowflake Support immediately if the key is missing.. Step 4: If the key was rotated, work with Snowflake Support to complete the composite master key re-encryption.. Step 5: After restoring access, test with a simple query and check the Snowflake account event log for key access confirmations.

Critical severityconfiguration

Power BI Refresh Error:
CUSTOMER_MANAGED_KEY_NOT_FOUND

What does this error mean?

Snowflake Tri-Secret Secure cannot access the customer-managed encryption key in AWS KMS or Azure Key Vault, preventing decryption of the Snowflake composite master key and blocking all data access.

Common causes

1The KMS key or Azure Key Vault key was deleted, disabled, or had its rotation policy changed
2The IAM policy or Key Vault access policy no longer grants Snowflake the required decrypt/unwrap permission
3The key was rotated manually without completing the Snowflake Tri-Secret Secure re-encryption process
4Cross-region or cross-account key access was revoked by a cloud admin

How to fix it

1Step 1: Confirm the KMS key or Key Vault key exists and is in Enabled status in your cloud provider console.
2Step 2: Verify the IAM policy (AWS) or access policy (Azure) still grants the Snowflake service principal kms:Decrypt and kms:GenerateDataKey permissions.
3Step 3: Do NOT delete the key — this results in permanent data loss. Contact Snowflake Support immediately if the key is missing.
4Step 4: If the key was rotated, work with Snowflake Support to complete the composite master key re-encryption.
5Step 5: After restoring access, test with a simple query and check the Snowflake account event log for key access confirmations.

Frequently asked questions

What happens if I permanently delete my BYOK encryption key?

Permanently deleting the customer-managed key makes all encrypted Snowflake data irrecoverable. Snowflake cannot decrypt data without the key. Cloud KMS services offer a 30-day waiting period before key deletion — use this window to recover.

Does BYOK affect query performance?

Tri-Secret Secure adds a small overhead at session establishment, but does not impact individual query execution — the composite master key is cached securely for the session duration.