Key Pair Authentication & Key Pair Rotation

This topic describes using key pair authentication and key pair rotation in Snowflake.

In this Topic:

Overview

Snowflake supports using key pair authentication for enhanced authentication security as an alternative to basic authentication (i.e. username and password).

This authentication method requires, as a minimum, a 2048-bit RSA key pair. You can generate the Privacy Enhanced Mail (i.e. PEM) private-public key pair using OpenSSL. Some of the Supported Snowflake Clients allow using encrypted private keys to connect to Snowflake. The public key is assigned to the Snowflake user who uses the Snowflake client to connect and authenticate to Snowflake.

Snowflake also supports rotating public keys in an effort to allow compliance with more robust security and governance postures.

Supported Snowflake Clients

The following table summarizes support for key pair authentication among Snowflake Clients. A checkmark (i.e. ✔) indicates full support. A missing checkmark indicates key pair authentication is not supported.

Client

Key Pair Authentication

Key Pair Rotation

Unencrypted Private Keys

SnowSQL (CLI Client)

Snowflake Connector for Python

Snowflake Connector for Spark

Snowflake Connector for Kafka

Go driver

JDBC Driver

ODBC Driver

Node.js Driver

.NET Driver

Configuring Key Pair Authentication

Complete the following steps to configure key pair authentication for all supported Snowflake clients.

Step 1: Generate the Private Key

Depending on which one of the Supported Snowflake Clients you use to connect to Snowflake, you have the option to generate encrypted or unencrypted private keys. Generally, it is safer to generate encrypted keys. Snowflake recommends communicating with your internal security and governance officers to determine which key type to generate prior to completing this step.

Tip

The command to generate an encrypted key prompts for a passphrase to regulate access to the key. Snowflake recommends using a passphrase that complies with PCI DSS standards to protect the locally generated private key. Additionally, Snowflake recommends storing the passphrase in a secure location. If using an encrypted key to connect to Snowflake, you will input the passphrase during the initial connection. The passphrase is only used for protecting the private key and will never be sent to Snowflake.

To generate a long and complex passphrase based on PCI DSS standards:

  1. Access the PCI Security Standards Document Library.

  2. For PCI DSS, select the most recent version and your desired language.

  3. Complete the form to access the document.

  4. Search for Passwords/passphrases must meet the following: and follow the recommendations for password/passphrase requirements, testing, and guidance. Depending on the document version, the phrase is likely located in a section called Requirement 8: Identify and authenticate access to system components (or similar name).

To start, open a terminal window and generate a private key.

You can generate either an encrypted version of the private key or an unencrypted version of the private key.

To generate an unencrypted version, use the following command:

$ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

To generate an encrypted version, use the following command (which omits “-nocrypt”):

$ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

The commands generate a private key in PEM format.

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6TAbBgkqhkiG9w0BBQMwDgQILYPyCppzOwECAggABIIEyLiGSpeeGSe3xHP1
wHLjfCYycUPennlX2bd8yX8xOxGSGfvB+99+PmSlex0FmY9ov1J8H1H9Y3lMWXbL
...
-----END ENCRYPTED PRIVATE KEY-----

Step 2: Generate a Public Key

From the command line, generate the public key by referencing the private key. The following command assumes the private key is encrypted and contained in the file named rsa_key.p8.

$ openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

The command generates the public key in PEM format.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4
zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk
...
-----END PUBLIC KEY-----

Step 3: Store the Private and Public Keys Securely

Copy the public and private key files to a local directory for storage. Record the path to the files. Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step.

However, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.

Step 4: Assign the Public Key to a Snowflake User

Execute an ALTER USER command to assign the public key to a Snowflake user.

ALTER USER jsmith SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

Note

  • Only security administrators (i.e. users with the SECURITYADMIN role) or higher can alter a user.

  • Exclude the public key delimiters in the SQL statement.

Step 5: Verify the User’s Public Key Fingerprint

Execute a DESCRIBE USER command to verify the user’s public key fingerprint.

DESC USER jsmith;
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+
| property            | value                                               | default | description                                  |
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+
| NAME                | JSMITH                                              | null    | Name                                         |
...
...
| RSA_PUBLIC_KEY_FP   | SHA256:nvnONUsfiuycCLMXIEWG4eTp4FjhVUZQUQbNpbSHXiA= | null    | Fingerprint of user's RSA public key.        |
| RSA_PUBLIC_KEY_2_FP | null                                                | null    | Fingerprint of user's second RSA public key. |
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+

Note

The RSA_PUBLIC_KEY_2_FP property is described in Configuring Key Pair Rotation.

Step 6: Configure the Snowflake Client to Use Key Pair Authentication

Update the client to use key pair authentication to connect to Snowflake.

Configuring Key Pair Rotation

Snowflake supports multiple active keys to allow for uninterrupted rotation. Rotate and replace your public and private keys based on the expiration schedule you follow internally.

Currently, you can use the RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 parameters for ALTER USER to associate up to 2 public keys with a single user.

Complete the following steps to configure key pair rotation and rotate your keys.

  1. Complete all steps in Configuring Key Pair Authentication with the following updates:

    • Generate a new private and public key set.

    • Assign the public key to the user. Set the public key value to either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2 (whichever key value is not currently in use). For example:

      alter user jsmith set rsa_public_key_2='JERUEHtcve...';
      
  2. Update the code to connect to Snowflake. Specify the new private key.

    Snowflake verifies the correct active public key for authentication based on the private key submitted with your connection information.

  3. Remove the old public key from the user profile using an ALTER USER command.

    alter user jsmith unset rsa_public_key;