Skip to content

Using Snowflake key-pair authentication

When creating an environment for a Snowflake data warehouse, you can choose to use key-pair authentication. To use this authentication method, the Snowflake private key must be stored as a secret, as described in this document.

Prerequisites

Generate a private and public key in Snowflake and configure your Snowflake user, following the procedure given in the Snowflake documentation.

Storing the private key

If you are running the Data Productivity Cloud in a Hybrid SaaS deployment model, you must store the private key as a secret within your own infrastructure, in either an AWS Secrets Manager or an Azure Key Vault. Follow the procedure in the appropriate section below.

If you are running the Data Productivity Cloud in a Full SaaS deployment model, you must copy the private key into the Private key field when you create your Project or Environment. Ensure that you copy the full content of the Snowflake private key file you generated, including the header and footer lines.

AWS Secrets Manager

  1. Log in to the AWS account that houses your agent.
  2. Browse to the Secrets Manager service.
  3. Ensure you're in the same AWS region as your agent.
  4. Click Store a new secret.
  5. Click Other type of secret.
  6. Click the Plaintext tab.
  7. Copy the full content, including header and footer, of the Snowflake private key file you generated.

Alternatively, you can run the following code in your terminal, replacing values where appropriate:

PEM_CONTENT=$(awk '{printf "%s\\n", $0}' /path/to/your/file.pem)

aws secretsmanager create-secret \
    --name "MyKeyValueSecretWithPem" \
    --description "Secret with PEM file content" \
    --secret-string "{\"pem\":\"$PEM_CONTENT\"}"

For further details of these processes, read the AWS documentation.

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to Secret definitions in the Data Productivity Cloud. Read Secret definitions for details.

Note

  • The private key must be stored as a plaintext secret.
  • You must add a new AWS secret for every private key you want to use.
  • Ensure that the agent has permissions to use the new secret by giving the agent's IAM task role permissions to use the new secret. Read AWS IAM roles for details.

Azure Key Vault

When storing a Snowflake private key in Azure Key Vault, you must use the Azure CLI, as using the Azure GUI causes issues with multi-line secrets. Read the Azure documentation for more information.

Use the following Azure CLI command to add the private key:

az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <private-key-file-path>

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to Secret definitions in the Data Productivity Cloud. Read Secret definitions for details.

© Copyright 2024 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement