Snowflake Connector Authentication with RSA (JWT)

This guide provides step-by-step instructions for configuring JWT (JSON Web Token) authentication using RSA key pairs for the Snowflake Connector. JWT-based authentication is a secure and scalable alternative to traditional username/password credentials. It enables programmatic access to Snowflake using a public/private key pair, eliminating the need to store passwords in your application or environment.

Steps

1. Create a private key:

   openssl genpkey -algorithm RSA -out private-key.pem

2. Generate a public key:

   openssl rsa -pubout -in private-key.pem -out public-key.pem

3. Assign the public key to the user:

   If RSA_PUBLIC_KEY is already in use, you can use RSA_PUBLIC_KEY_2.

   ALTER USER <SNOWFLAKE_USER> SET RSA_PUBLIC_KEY = '<public_key_contents>';

4. Add credentials to AWS Secrets Manager:

   • Set userRSA to true.

   • Set privateKey to the contents of the private key generated in step 1, using this format:

     -----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0B...\n-----END PRIVATE KEY-----\n

     

5. Verify authentication method:

   Run the following query in your Snowflake cluster to confirm the authentication mechanism:

   SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
   WHERE EVENT_TIMESTAMP >= DATEADD(DAY, -2, CURRENT_TIMESTAMP)
   ORDER BY EVENT_TIMESTAMP DESC;

   The FIRST_AUTHENTICATION_FACTOR column should show RSA_KEY_PAIR for your user.