Key Pair Authentication Setup
Snowflake supports using key pair authentication for enhanced authentication security as an alternative to basic authentication (i.e. username and password).
This authentication method requires, as a minimum, a 2048-bit RSA key pair. You can generate the Privacy Enhanced Mail (i.e. PEM) private-public key pair using OpenSSL.
Some of the Supported Snowflake Clients allow using encrypted private keys to connect to Snowflake. The public key is assigned to the Snowflake user who uses the Snowflake client to connect and authenticate to Snowflake.
Snowflake also supports rotating public keys in an effort to allow compliance with more robust security and governance postures.
Key pair authentication is a secure way to access your Snowflake data warehouse without relying solely on traditional username and password authentication. In this step-by-step guide, we will walk you through the process of setting up key pair authentication in Snowflake. We'll also cover how to install OpenSSL, a crucial tool for generating the necessary key pair.
Prerequisites:
Before we begin, ensure you have the following prerequisites in place:
- A Snowflake account with appropriate ACCOUNTADMIN privileges.
- A computer running a supported operating system (Windows, macOS, or Linux).
- Basic knowledge of the command line interface.
OpenSSL is an open-source tool that allows you to generate cryptographic keys and certificates. You will need it to create the key pair for Snowflake.
If you don't have OpenSSL installed on your local computer or virtual machine, follow the complete the items below. If you do have OpenSSL already installed go to Step 1: Create Private Key:
- For Windows:
- Run the installer and follow the installation instructions.
- For macOS:
- Paste the text into your Terminal window and press the enter key in order to run it's process. It will take several minutes and you will be prompted to enter your Mac password during the install process.
- For Linux (Debian/Ubuntu):
- Open your terminal and run the following command to install OpenSSL:
- Copy code
- sudo apt-get update
- sudo apt-get install openssl
- Follow the installation prompts.
Now that you have OpenSSL installed, let's generate an SSH key pair. The private key will be stored securely on your machine, while the public key will be uploaded to Snowflake.
Open a Terminal window and enter the below command. Depending on what your security and governance requirements are, you can generate either an encrypted or unencrypted key. If you are unsure of what security guidelines are, in general, it is safer to use an encrypted key.
For an encrypted key, use the following command:
You will be asked to enter a passphrase. Save it in a note or write it down somewhere; just make sure you don’t forget it! You will need it later.
Enter the following command in your Terminal window:
Make sure you know where your keys are stored, because you will need the file path later. If you completed the above Preparation Steps and Steps 1 & 2 the files will be stored in a similar path as the one below. In this folder you will find two files that were created in the above Steps: rsa_key.p8 and rsa_key.pub
- Folder Path: /Users/<Your Mac Username>/code/build-from-src/openssl-1.1.1d/
The private key (rsa_key.p8) is stored and encrypted using the passphrase you specified in Step 1. They will look like what is shown below when opening the files.
- The .p8 extension signifies a simple text file containing public/private key. You can open it with any text editor (TextEdit, vim, Sublime Text) to see your key.
- TextEdit is a built in utility on the Mac and is found under Laundpad. Type in TextEdit to search in Launchpad
You must be in an ACCOUNTADMIN role to make edits to a user. You can view what role you have in the top right corner under your name. If you have the rights, it’s possible you can change your role by entering the following command in your worksheet or by clicking on the user setting bar in the top right corner of your worksheet:
Then enter the following command in your worksheet to assign the public key (rsa_key.pub) you created in Step 1 to your Snowflake user.
Note: If you do not have or can not get admin rights with the above command, it’s likely you do not have the permissions you need. Please reach out to the Admin of your Snowflake account to request the access you need.
Create a Snowflake Target Connection in DataLakeHouse.io
- On the Connection Form :: Enter your Credentials and Other Information
- Enter in the Name/Alias field, the name you'll use within DataLakeHouse.io to differentiate this connection from others
- Enter in the Server/Host field, the name of the public server name or the IP Address (most customers use the IP for this field)
- Use the full URL, for example, bbbxxx123.snowflakecomputing.com
- Enter in the Port field, where this database is accessible and the firewall restrictions are open.
- For Snowflake we always assume port 443, which is standard but we have it here for future-proofing.
- Enter in the Database field, the name of the database to connect
- In most cases this is the DATALAKEHOUSE_RAW database
- Enter in the Username/Alias field, the username of user you created in the steps above to give access to DataLakeHouse.io
- In most cases this is the DATALAKEHOUSE_USER
- NB: Be sure this is the LOGIN NAME for the SSH Key user you have assigned the public key to, as this will be recognized by the SSH key specifically in certain circumstances such as using the DLH.io Snowflake SOX Compliance dashboards.
- Enter in the Role field, the username of user you created in the steps above to give access to DataLakeHouse.io
- In most cases this is the DATALAKEHOUSE_ROLE
- Set Auth Type field to Key Pair Authentication
- Set Private Key Encrypted to Yes
- Click on Save & Test to save the connection and test that we can connect.
- If updating the form Click Save & Test or just Test
- Clicking on Save & Test will again save any changes such as the Key Passphrase change, etc. You will not be able to change the prefix of the schema that will be the target in the destination. Any test of the connection will attempt to connect to your database with the credentials and info provided.
- A message of success or failure will be shown:
- If success you'll be prompted with the schema objects objects of the database and will need to complete the final steps for configuration shown below.
- If failure happens with the test connection, the connection is still saved but you will need to correct the failure based on the failure reason information provided in the message
- Snowflake Network Policy Settings
- As mentioned above, if you have configured a Snowflake Network Policy, please update it to use the DataLakeHouse.io grantlist of IP Address. If you have an existing policy find the policy name and run the following script:
- Modify Existing Networking Policy
The Target Connection is now complete, create a Create a Sync Bridge to replicate data to Snowflake
