Skip to main content
When creating an environment for a Snowflake data warehouse, you can choose to use key-pair authentication. To use this authentication method, the Snowflake private key must be stored as a secret, as described in this document.

Prerequisites

Generate a private and public key in Snowflake and configure your Snowflake user, following the procedure given in the Snowflake documentation.

Video example

Storing the private key

If you are running in a Hybrid SaaS deployment model, you must store the private key as a secret within your own infrastructure, in either an AWS Secrets Manager or an Azure Key Vault. Follow the procedure in the appropriate section below. If you are running in a Full SaaS deployment model, you must copy the private key into the Private key field when you create your Environment. Copy the full content of the Snowflake private key file you generated, including the header and footer lines. In a Full SaaS deployment model, your encrypted private key, including the header and footer, should look like this: 
-----BEGIN ENCRYPTED PRIVATE KEY-----

[Key value]

-----END ENCRYPTED PRIVATE KEY-----
Add a new line after --- END ENCRYPTED PRIVATE KEY --- to avoid connection or JSON Web Token (JWT) errors. An unencrypted private key, including the header and footer, should look like this: 
-----BEGIN PRIVATE KEY-----

[Key value]

-----END PRIVATE KEY-----
Add a new line after --- END PRIVATE KEY --- to avoid connection or JSON Web Token (JWT) errors.
If your private key has been shared, the format may have been altered. To correct this, run the following command to validate and convert the key to the correct format:
openssl rsa -in key.pem -check

AWS Secrets Manager

  1. Log in to the AWS account that houses your .
  2. Browse to the Secrets Manager service.
  3. Ensure you’re in the same AWS region as your .
  4. Click Store a new secret.
  5. Click Other type of secret.
  6. Click the Plaintext tab.
  7. Copy the full content, including header and footer, of the Snowflake private key file you generated.
Alternatively, you can run the following code in your terminal, replacing values where appropriate: 
aws secretsmanager create-secret \
    --name "MyKeyValueSecretWithPem" \
    --description "Secret with PEM file content" \
    --secret-string "$PEM_CONTENT"
For further details of these processes, read the following AWS documentation: If your private key is passphrase protected, you will also need to add a secret to store the passphrase. You now need to add the secrets to Secret definitions in . Read Secrets and secret definitions for details.
  • The private key must be stored as a plaintext secret.
  • You must add a new AWS secret for every private key you want to use.
  • Ensure that the has permissions to use the new secret by giving the ‘s IAM task role permissions to use the new secret. Read AWS IAM roles for details.

Azure Key Vault

When storing a Snowflake private key in Azure Key Vault, you must use the Azure CLI, as using the Azure GUI causes issues with multi-line secrets. Read the Azure documentation for more information. Use the following Azure CLI command to add the private key: 
az keyvault secret set --vault-name <vault-name> --name <secret-name> --file <private-key-file-path>
If your private key is passphrase protected, you will also need to add a secret to store the passphrase. You now need to add the secrets to Secret definitions in . Read Secrets and secret definitions for details.