Skip to content

Using Snowflake key-pair authentication

When creating an environment for a Snowflake data warehouse, you can choose to use key-pair authentication. To use this authentication method, the Snowflake private key must be stored as a secret, as described in this document.

This document assumes you are running the Data Productivity Cloud in a Hybrid SaaS deployment model, which means you are storing secrets within your own infrastructure.

Prerequisites

Generate a private and public key in Snowflake and configure your Snowflake user, following the procedure given in the Snowflake documentation.

The private key must be stored in your AWS Secrets Manager or Azure Key Vault. Follow the appropriate steps given below.

AWS Secrets Manager

  1. Log in to the AWS account that houses your agent.
  2. Browse to the Secrets Manager service.
  3. Ensure you're in the same AWS region as your agent.
  4. Click Store a new secret.
  5. Click Other type of secret.
  6. Click the Plaintext tab.
  7. Copy the full content, including header and footer, of the Snowflake private key file you generated.

Alternatively, you can run the following code in your terminal, replacing values where appropriate:

PEM_CONTENT=$(awk '{printf "%s\\n", $0}' /path/to/your/file.pem)

aws secretsmanager create-secret \
    --name "MyKeyValueSecretWithPem" \
    --description "Secret with PEM file content" \
    --secret-string "{\"pem\":\"$PEM_CONTENT\"}"

For further details of these processes, read the AWS documentation.

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to Secret definitions in the Data Productivity Cloud. Read Secret definitions for details.

Note

  • The private key must be stored as a plaintext secret.
  • You must add a new AWS secret for every private key you want to use.
  • Ensure that the agent has permissions to use the new secret by giving the agent's IAM task role permissions to use the new secret. Read AWS IAM roles for details.

Azure Key Vault

When storing a Snowflake private key in Azure Key Vault, you must use the Azure CLI, as using the Azure GUI causes issues with multi-line secrets. Read the Azure documentation for more information.

Use the following Azure CLI command to add the private key:

az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <private-key-file-path>

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to Secret definitions in the Data Productivity Cloud. Read Secret definitions for details.

© Copyright 2024 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement