Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.maia.ai/llms.txt

Use this file to discover all available pages before exploring further.

When creating an environment for a Snowflake data warehouse, you can choose to use key-pair authentication. To use this authentication method, the Snowflake private key must be stored as a secret, as described in this document.
This page covers Snowflake key-pair authentication for environment-level connections only. The plaintext storage guidance on this page does not apply to component-level usage. Components such as Database Query, JDBC Table Metadata to Grid, and Bash Pushdown store private keys as key/value JSON secrets with escaped newlines (\n) instead. Refer to the individual component documentation for those patterns.

Prerequisites

Generate a private and public key in Snowflake and configure your Snowflake user, following the procedure given in the Snowflake documentation.

Video example

Storing the private key

If you are running in a Hybrid SaaS deployment model, you must store the private key as a secret within your own infrastructure, in either an AWS Secrets Manager or an Azure Key Vault. Follow the procedure in the appropriate section below. If you are running in a Full SaaS deployment model, you must copy the private key into the Private key field when you create your Environment. Copy the full content of the Snowflake private key file you generated, including the header and footer lines. In a Full SaaS deployment model, your encrypted private key, including the header and footer, should look like this: 
-----BEGIN ENCRYPTED PRIVATE KEY-----

[Key value]

-----END ENCRYPTED PRIVATE KEY-----
Add a new line after --- END ENCRYPTED PRIVATE KEY --- to avoid connection or JSON Web Token (JWT) errors. An unencrypted private key, including the header and footer, should look like this: 
-----BEGIN PRIVATE KEY-----

[Key value]

-----END PRIVATE KEY-----
Add a new line after --- END PRIVATE KEY --- to avoid connection or JSON Web Token (JWT) errors.
If your private key has been shared, the format may have been altered. To correct this, run the following command to validate and convert the key to the correct format:
openssl rsa -in key.pem -check

AWS Secrets Manager

  1. Log in to the AWS account that houses your .
  2. Browse to the Secrets Manager service.
  3. Ensure you’re in the same AWS region as your .
  4. Click Store a new secret.
  5. Click Other type of secret.
  6. Click the Plaintext tab.
  7. Copy the full content, including header and footer, of the Snowflake private key file you generated.
Alternatively, you can run the following code in your terminal, replacing values where appropriate: 
aws secretsmanager create-secret \
    --name "MyKeyValueSecretWithPem" \
    --description "Secret with PEM file content" \
    --secret-string "$PEM_CONTENT"
For further details of these processes, read the following AWS documentation: If your private key is passphrase protected, you will also need to add a secret to store the passphrase. You now need to add the secrets to Secret definitions in . Read Secrets and secret definitions for details.
  • The private key must be stored as a plaintext secret.
  • You must add a new AWS secret for every private key you want to use.
  • Ensure that the has permissions to use the new secret by giving the ‘s IAM task role permissions to use the new secret. Read AWS IAM roles for details.

Azure Key Vault

When storing a Snowflake private key in Azure Key Vault, you must use the Azure CLI, as using the Azure GUI causes issues with multi-line secrets. Read the Azure documentation for more information. Use the following Azure CLI command to add the private key: 
az keyvault secret set --vault-name <vault-name> --name <secret-name> --file <private-key-file-path>
If your private key is passphrase protected, you will also need to add a secret to store the passphrase. You now need to add the secrets to Secret definitions in . Read Secrets and secret definitions for details.