Creating a Keypair for Snowflake
Keypair authentication is useful for services to connect directly to Snowflake. It’s a better choice over password authentication because credentials can be rotated without downtime. Each user in Snowflake can have 2 public keys associated at any time.
To create a keypair, you can use openssl. This guide will use a web based version of openssl which was compiled to webassembly, but you can run the same commands directly using openssl.
Step 1: Go to https://www.cryptool.org/en/cto/openssl and click on “Generate Keys”.
Step 2: Choose Key type: RSA
Step 3: In the “Generate private key” section, choose 2048-bit Key length, output to file
This will automatically generate the first command that is needed to be run to generate the keypair which generates the private key.
openssl genrsa -out privkey.pem 2048
Step 4: Click Run
Step 5: In the “Derive public key” section, choose Output to file and the Public key output format: PEM format to generate the public key.
openssl rsa -pubout -in /privkey.pem -outform PEM -out pubkey.pem
Step 6: Click Run
Step 7: Go to the Files section and Download the privkey.pem and the pubkey.pem files.
Open the pubkey.pem in your favorite text editor, the file will look like this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2lN+3ajOnQSiwTP82c12
u1da2sTyOzAqLLVlAcnpSvrWKD21lYX+3DFlCOvOoNz8byzCmXgM+p5Sygtus02y
ko3ANe/IvPWPWxjs/p+BOo7enpBxKn5qAgf0D8g9Lvnzrv/QYZpvW70EzlOWyYUC
4C+9MECa6xkC8/OdmtPhq5gb37D18ewJm+BZr8txffjpmoPoVi+hmQMBb8YsLz6L
YJSeeAoxjyfu/pEmd9tnIgGzPpx+uf6bI/fA9AR89xXxZn6+2QqH0FIGbDTd19XA
Z+8zaJGAMNjnq4+RBtH57Fxx8P7x/LJhuIcpvXHce5z3w11ENKzizOEVbXU5Qs0P
wwIDAQAB
-----END PUBLIC KEY-----
To set this keypair on a user in Snowflake you would run the following SQL in Snowsight. You have to remove the first and last lines as well as line breaks.
ALTER USER <USERNAME> SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2lN+3ajOnQSiwTP82c12u1da2sTyOzAqLLVlAcnpSvrWKD21lYX+3DFlCOvOoNz8byzCmXgM+p5Sygtus02yko3ANe/IvPWPWxjs/p+BOo7enpBxKn5qAgf0D8g9Lvnzrv/QYZpvW70EzlOWyYUC4C+9MECa6xkC8/OdmtPhq5gb37D18ewJm+BZr8txffjpmoPoVi+hmQMBb8YsLz6LYJSeeAoxjyfu/pEmd9tnIgGzPpx+uf6bI/fA9AR89xXxZn6+2QqH0FIGbDTd19XAZ+8zaJGAMNjnq4+RBtH57Fxx8P7x/LJhuIcpvXHce5z3w11ENKzizOEVbXU5Qs0PwwIDAQAB';
To test the keypair, you can use SnowSql.
Start snowsql with the private_key_path set to the privkey.pem downloaded along with your accountname, username. After successful connection you’ve validated your keypair is working as intended. Now keep your private key secure and make a plan for your rotation schedule.