Key pair authentication is a secure way to access your Snowflake data warehouse without relying solely on traditional username and password authentication. In this step-by-step guide, we walk you through the process of setting up key pair authentication in Snowflake. Additionally, how to install OpenSSL, a crucial tool for generating the necessary key pair, is detailed.
While this is not SSO for Snowflake; however, it does apply to View Security in Snowflake. In addition, this topic is part of a Snowflake Health Check.
Prerequisites:
Before we begin, ensure you have the following prerequisites in place:
- A Snowflake account with the ACCOUNTADMIN privilege.
- A computer running a supported operating system (Windows, macOS, or Linux).
- Basic knowledge of the command line interface.
Step 1: Install OpenSSL
OpenSSL is an open-source tool that allows you to generate cryptographic keys and certificates. You must use it to create the key pair for Snowflake.
If OpenSSL is not installed on your local computer or virtual machine, follow the items below. If OpenSSL is already installed, please skip to Step 1: Create Private Key:
- For Windows:
- Run the installer and follow the installation instructions.
- For macOS:
- Paste the text into your Terminal window and press the enter key in order to run its process. It will take several minutes and you will be prompted to enter your Mac password during the install process.
- Open your terminal and run the following command to install OpenSSL:
- Copy code
- sudo apt-get update
- sudo apt-get install openssl
- Follow the installation prompts.
Step 2: Create Private Key
With OpenSSL installed, a SSH key pair must be generated. The private key will be stored securely on your machine, while the public key will be uploaded to Snowflake.
Open a Terminal window and enter the below command. Depending on what your security and governance requirements are, you can generate either an encrypted or unencrypted key. When in doubt of security guidelines, in general, use an encrypted key.
For an encrypted key, use the following command:
openssl genrsa 2048|openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
Step 3: Create Public Key
Enter the following command in your Terminal window:
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
Step 4: Store Private and Public Keys Securely
Make sure you know where your keys are stored, because you will need the file path later. If you completed Preparation Steps and Steps 1 & 2 earlier the files will be stored in a similar path as the one below on your local machine. At this point you will find two files that were created in the above Steps: rsa_key.p8 and rsa_key.pub
- Folder Path: /Users/<Your Mac Username>/code/build-from-src/openssl-1.1.1d/
The private key (rsa_key.p8) is stored and encrypted using the passphrase you specified in Step 1. Below contains the format of the files once opened with a text editor.
- The .p8 extension signifies a simple text file containing public/private key. You can open it with any text editor (TextEdit, vim, Sublime Text) to see your key.
- TextEdit is a built in utility on the Mac and is found under Launchpad. Type in TextEdit to search with in Launchpad.
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIE6TAbBgkqhkiG9w0BBQMwDgQILYPyCppzOwECAggABIIEyLiGSpeeGSe3xHP1
wHLjfCYycUPennlX2bd8yX8xOxGSGfvB+99+PmSlex0FmY9ov1J8H1H9Y3lMWXbL ...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4 zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk ...
-----END PUBLIC KEY-----
Step 5: Set your Public Key to your Snowflake User
You must be an ACCOUNTADMIN role to make edits to a user. You can view what role you have in the top right corner under your name. At this time, if you have the rights, change your role by entering the following command in your worksheet or by clicking on the user setting bar in the top right corner of your worksheet:
use role accountadmin;
Then enter the following command in your worksheet to assign the public key (rsa_key.pub) you created in Step 1 to your Snowflake user. Make sure to copy your public key (rsa_key.pub) and not the one below.
alter user <your_username> set rsa_public_key='MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4 zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk';
Note: If you do not have or can not get admin rights with the above command, it’s likely you do not have the permissions you need. Please reach out to the Admin of your Snowflake account to request the access you need.
Test Key Pair Authentication
You’re all set! Now, test the key pair authentication by connecting to Snowflake using your Snowflake client. You should be able to log in without entering a password. Sign up for a FREE DataLakeHouse.io account and test your key pair Snowflake authentication now!
Congratulations! You have successfully set up key pair authentication in Snowflake, enhancing the security of your data warehouse.
In summary, key pair authentication provides an extra layer of security for accessing Snowflake, and by following these steps, you can implement it with ease. Enjoy the added security and peace of mind in your Snowflake data operations.
