Key Pair Authentication Setup

snowflake supports using key pair authentication for enhanced authentication security as an alternative to basic authentication (i e username and password) this authentication method requires, as a minimum, a 2048 bit rsa key pair you can generate the privacy enhanced mail (i e pem) private public key pair using openssl some of the https //docs snowflake com/en/user guide/key pair auth#supported snowflake clients allow using encrypted private keys to connect to snowflake the public key is assigned to the snowflake user who uses the snowflake client to connect and authenticate to snowflake snowflake also supports rotating public keys in an effort to allow compliance with more robust security and governance postures key pair authentication is a secure way to access your snowflake data warehouse without relying solely on traditional username and password authentication in this step by step guide, we will walk you through the process of setting up key pair authentication in snowflake we'll also cover how to install openssl, a crucial tool for generating the necessary key pair prerequisites before we begin, ensure you have the following prerequisites in place a snowflake account with appropriate accountadmin privileges a computer running a supported operating system (windows, macos, or linux) basic knowledge of the command line interface preparation steps openssl is an open source tool that allows you to generate cryptographic keys and certificates you will need it to create the key pair for snowflake if you don't have openssl installed on your local computer or virtual machine, follow the complete the items below if you do have openssl already installed go to /#step 1 create private key for windows download the windows installer from the https //www openssl org/community/binaries html run the installer and follow the installation instructions for macos open the terminal on your mac and https //gist github com/byronmansfield/97d74d8b0d1ea28b48536020dbd6d53e in order to install openssl paste the text into your terminal window and press the enter key in order to run it's process it will take several minutes and you will be prompted to enter your mac password during the install process for linux (debian/ubuntu) open your terminal and run the following command to install openssl copy code sudo apt get update sudo apt get install openssl follow the installation prompts step 1 create private key now that you have openssl installed, let's generate an ssh key pair the private key will be stored securely on your machine, while the public key will be uploaded to snowflake open a terminal window and enter the below command depending on what your security and governance requirements are, you can generate either an encrypted or unencrypted key if you are unsure of what security guidelines are, in general, it is safer to use an encrypted key for an encrypted key, use the following command openssl genrsa 2048|openssl pkcs8 topk8 v2 des3 inform pem out rsa key p8 you will be asked to enter a passphrase save it in a note or write it down somewhere; just make sure you don’t forget it ! you will need it later step 2 create public key enter the following command in your terminal window openssl rsa in rsa key p8 pubout out rsa key pub step 3 store private and public keys securely make sure you know where your keys are stored, because you will need the file path later if you completed the above /#preparation steps and steps /#step 1 create private key & /#step 2 create public key the files will be stored in a similar path as the one below in this folder you will find two files that were created in the above steps rsa key p8 and rsa key pub folder path /users/ \<your mac username> /code/build from src/openssl 1 1 1d/ the private key (rsa key p8) is stored and encrypted using the passphrase you specified in /#step 1 create private key they will look like what is shown below when opening the files the p8 extension signifies a simple text file containing public/private key you can open it with any text editor (textedit, vim, sublime text) to see your key textedit is a built in utility on the mac and is found under laundpad type in textedit to search in launchpad \ begin encrypted private key miie6tabbgkqhkig9w0bbqmwdgqilypycppzowecaggabiieyligspeegse3xhp1 whljfcyycupennlx2bd8yx8xoxgsgfvb+99+pmslex0fmy9ov1j8h1h9y3lmwxbl \ end encrypted private key \ begin public key miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeay+fw2qv4roud3l6tjph4 zxybhjmz5rhtcz9jppcv8utwvexxa88igrihbj/pwkw/mr8lxdfi7l/9vcmxx4mk \ end public key step 4 set your public key to your snowflake user you must be in an accountadmin role to make edits to a user you can view what role you have in the top right corner under your name if you have the rights, it’s possible you can change your role by entering the following command in your worksheet or by clicking on the user setting bar in the top right corner of your worksheet use role accountadmin; then enter the following command in your worksheet to assign the public key (rsa key pub) you created in /#step 1 create private key to your snowflake user alter user \<your username> set rsa public key=' miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeay+fw2qv4roud3l6tjph4 zxybhjmz5rhtcz9jppcv8utwvexxa88igrihbj/pwkw/mr8lxdfi7l/9vcmxx4mk '; note if you do not have or can not get admin rights with the above command, it’s likely you do not have the permissions you need please reach out to the admin of your snowflake account to request the access you need step 5 configure snowflake target connection create a snowflake target connection in datalakehouse io on the connection form enter your credentials and other information enter in the name/alias field, the name you'll use within datalakehouse io to differentiate this connection from others enter in the server/host field, the name of the public server name or the ip address (most customers use the ip for this field) use the full url, for example, bbbxxx123 snowflakecomputing com enter in the port field, where this database is accessible and the firewall restrictions are open for snowflake we always assume port 443, which is standard but we have it here for future proofing enter in the database field, the name of the database to connect in most cases this is the datalakehouse raw database enter in the username/alias field, the username of user you created in the steps above to give access to datalakehouse io in most cases this is the datalakehouse user nb be sure this is the login name for the ssh key user you have assigned the public key to, as this will be recognized by the ssh key specifically in certain circumstances such as using the dlh io snowflake sox compliance dashboards enter in the role field, the username of user you created in the steps above to give access to datalakehouse io in most cases this is the datalakehouse role set auth type field to key pair authentication copy the private key from the rsa key p8 file that was created in the above /#step 1 create private key set private key encrypted to yes enter the key passphrase that was set in the above /#step 1 create private key click on save & test to save the connection and test that we can connect if updating the form click save & test or just test clicking on save & test will again save any changes such as the key passphrase change, etc you will not be able to change the prefix of the schema that will be the target in the destination any test of the connection will attempt to connect to your database with the credentials and info provided a message of success or failure will be shown if success you'll be prompted with the schema objects objects of the database and will need to complete the final steps for configuration shown below if failure happens with the test connection, the connection is still saved but you will need to correct the failure based on the failure reason information provided in the message snowflake network policy settings as mentioned above, if you have configured a https //docs snowflake com/en/user guide/network policies , please update it to use the datalakehouse io https //www datalakehouse io/platform/grantlist ip addresses/ if you have an existing policy find the policy name and run the following script modify existing networking policy create sync bridge the target connection is now complete, create a docid\ jvybwq5ydjrq3ajxuqghs to replicate data to snowflake