Snowflake Key-Pair Authentication

DataOps orchestrators allow you to use Snowflake key-pair authentication, an enhanced authentication security protocol, as an alternative to standard or basic authentication with a username and password.

You can connect to Snowflake using key-pair authentication with the following orchestrators:

Before we look at how to configure key-pair authentication, it is essential to note that the following key pairs are supported:

RSA private key in PEM format
Encrypted RSA private key in PKCS#8 format

This authentication method requires, as a minimum, a 2048-bit RSA key pair.

AES cipher support for private keys

Only AES ciphers are supported for encrypted private keys. Other encryption algorithms are not supported.

Configuring key-pair authentication

While the detailed steps to configure key-pair authentication are not part of the scope of this topic, it is worth summarizing the key-pair authentication configuration workflow (as specified in the Snowflake documentation):

Generate the private key as per Snowflake documentation
Generate the public key as per Snowflake documentation
Store the private and public keys securely in your DataOps Vault configuration
Assign the public key to a Snowflake user: see the Snowflake User SOLE Reference for the rsa_public_key and rsa_public_key_2 parameters
Verify the user's public key fingerprint
Configure the Snowflake client to use key-pair authentication

Key generation examples

The following examples show how to generate RSA key pairs for Snowflake authentication using OpenSSL:

Generate private key without passphrase

# Generate 2048-bit RSA private key without passphrase
openssl genrsa -out rsa_key.pem 2048

# Generate public key from private key
openssl rsa -in rsa_key.pem -pubout -out rsa_key.pub

Generate private key with passphrase

# Generate 2048-bit RSA private key with AES-256 encryption and passphrase
openssl genrsa -aes256 -out rsa_key_encrypted.pem 2048

# Generate public key from encrypted private key
openssl rsa -in rsa_key_encrypted.pem -pubout -out rsa_key_encrypted.pub

Security considerations

Store private keys securely and never commit them to version control
Use strong passphrases when encrypting private keys
Consider using a minimum of 2048-bit key length for security
Only AES ciphers are supported for encrypted private keys

Supported parameters for key-pair authentication

Before we look at an example key-pair vault configuration, it is vital to be aware of the following supported parameters; two required and two optional:

Variable	Required/Default	Description
`DATAOPS_SNOWFLAKE_AUTH`	REQUIRED	Set it to the `KEY_PAIR` value to enable key-pair authentication support
`DATAOPS_SNOWFLAKE_KEY_PAIR`	REQUIRED	Specify the key pair to be used
`DATAOPS_SNOWFLAKE_PASSPHRASE`	Optional	The passphrase when using an encrypted private key
`PREVENT_KEY_PAIR_CLEANUP`	Optional	Skip key pair file removal on teardown process for MATE orchestrator

key pairs are stored temporarily during pipeline execution

Configured key pairs are temporarily stored in a file the orchestrators use and remove before the job ends. Consequently, by default, the key pair will not be available after the call to the /dataops script. To prevent the deletion of the key pair files for an orchestrator, you can set the job parameter PREVENT_KEY_PAIR_CLEANUP to true.

Key pair vault configuration

The following example describes what a key-pair vault configuration looks like if configured in the local /secrects/vault.yml:

/secrets/vault.yml
SNOWFLAKE:
  SOLE:
    ACCOUNT: <account>                  # DATAOPS_SOLE_ACCOUNT will be set from this local vault key
    USERNAME: <username>                # DATAOPS_SOLE_USERNAME will be set from this local vault key
    ROLE: <role>                        # DATAOPS_SOLE_ROLE will be set from this local vault key

    # DATAOPS_SNOWFLAKE_KEY_PAIR  will be set from this local vault key
    KEY_PAIR: "-----BEGIN RSA PRIVATE KEY-----
rmtbsfvsdcdtdxcvmyutr
athyjuhyktvdxdvcaerst
-----END RSA PRIVATE KEY-----"
    # Optional passphrase if the key pair is encrypted
    KEY_PASSPHRASE: XXXXXXX             # DATAOPS_SNOWFLAKE_PASSPHRASE will be set from this local vault key

We recommend to use the secrects manager of your choice to store the SNOWFLAKE.SOLE.KEY_PAIR and SNOWFLAKE.SOLE.KEY_PASSPHRASE secret for higher security requirements.

Example job configuration for key pair authentication

The variables section of the job or the config.yml file must be similar to the following code snippet:

My Job:
  variables:
    DATAOPS_SNOWFLAKE_AUTH: KEY_PAIR
    DATAOPS_SNOWFLAKE_KEY_PAIR: DATAOPS_VAULT(SNOWFLAKE.SOLE.KEY_PAIR)
    DATAOPS_SNOWFLAKE_PASSPHRASE: DATAOPS_VAULT(SNOWFLAKE.SOLE.KEY_PASSPHRASE)

Configuring key-pair authentication​

Key generation examples​

Generate private key without passphrase​

Generate private key with passphrase​

Supported parameters for key-pair authentication​

Key pair vault configuration​

Example job configuration for key pair authentication​