> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Snowflake key-pair authentication

export const m_runner = "Maia runner";

export const maia = "Maia";

When [creating an environment](/docs/guides/environments#specify-cloud-data-warehouse-credentials) for a Snowflake data warehouse, you can choose to use key-pair authentication. To use this authentication method, the Snowflake private key must be stored as a secret, as described in this document.

<Note>This page covers Snowflake key-pair authentication for *environment-level connections* only. The plaintext storage guidance on this page does not apply to component-level usage. Components such as [Database Query](/docs/components/database-query), [JDBC Table Metadata to Grid](/docs/components/jdbc-table-metadata-to-grid), and [Bash Pushdown](/docs/components/bash-pushdown) store private keys as key/value JSON secrets with escaped newlines (`\n`) instead. Refer to the individual component documentation for those patterns.</Note>

***

## Prerequisites

Generate a private and public key in Snowflake and configure your Snowflake user, following the procedure given in the [Snowflake documentation](https://docs.snowflake.com/en/user-guide/key-pair-auth#configuring-key-pair-authentication).

***

## Video example

<iframe width="560" height="315" src="https://www.youtube.com/embed/vpaMZiwmXQM?si=CWCDSMPZ7ga5DqAu&enablejsapi=1" title="YouTube video player" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" referrerPolicy="strict-origin-when-cross-origin" allowFullScreen />

***

## Storing the private key

If you are running {maia} in a [Hybrid SaaS](/docs/guides/runner-overview#hybrid-saas) deployment model, you must store the private key as a secret within your own infrastructure, in either an [AWS Secrets Manager](#aws-secrets-manager) or an [Azure Key Vault](#azure-key-vault). Follow the procedure in the appropriate section below.

If you are running {maia} in a [Full SaaS](/docs/guides/runner-overview#matillion-full-saas) deployment model, you must copy the private key into the **Private key** field when you create your [Environment](/docs/guides/environments#key-pair). Copy the full content of the Snowflake private key file you generated, including the header and footer lines.

In a Full SaaS deployment model, your encrypted private key, including the header and footer, should look like this:

```
-----BEGIN ENCRYPTED PRIVATE KEY-----

[Key value]

-----END ENCRYPTED PRIVATE KEY-----
```

Add a new line after `--- END ENCRYPTED PRIVATE KEY ---` to avoid connection or JSON Web Token (JWT) errors.

An *unencrypted* private key, including the header and footer, should look like this:

```
-----BEGIN PRIVATE KEY-----

[Key value]

-----END PRIVATE KEY-----
```

Add a new line after `--- END PRIVATE KEY ---` to avoid connection or JSON Web Token (JWT) errors.

<Note>
  If your private key has been shared, the format may have been altered. To correct this, run the following command to validate and convert the key to the correct format:

  ```
  openssl rsa -in key.pem -check
  ```
</Note>

***

## AWS Secrets Manager

1. Log in to the AWS account that houses your {m_runner}.
2. Browse to the Secrets Manager service.
3. Ensure you're in the same AWS region as your {m_runner}.
4. Click **Store a new secret**.
5. Click **Other type of secret**.
6. Click the **Plaintext** tab.
7. Copy the full content, including header and footer, of the Snowflake private key file you generated.

Alternatively, you can run the following code in your terminal, replacing values where appropriate:

```
aws secretsmanager create-secret \
    --name "MyKeyValueSecretWithPem" \
    --description "Secret with PEM file content" \
    --secret-string "$PEM_CONTENT"
```

For further details of these processes, read the following AWS documentation:

* [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html)
* [AWS CLI](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html#create_secret_cli)

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to **Secret definitions** in {maia}. Read [Secrets and secret definitions](/docs/guides/secrets-and-secret-definitions#create-a-secret-definition-hybrid-saas) for details.

<Note>
  * The private key must be stored as a plaintext secret.
  * You must add a new AWS secret for every private key you want to use.
  * Ensure that the {m_runner} has permissions to use the new secret by giving the {m_runner}'s IAM task role permissions to use the new secret. Read [AWS IAM roles](/docs/guides/aws-iam-roles) for details.
</Note>

***

## Azure Key Vault

When storing a Snowflake private key in Azure Key Vault, you must use the Azure CLI, as using the Azure GUI causes issues with multi-line secrets. Read the [Azure documentation](https://learn.microsoft.com/en-us/azure/key-vault/secrets/multiline-secrets) for more information.

Use the following Azure CLI command to add the private key:

```
az keyvault secret set --vault-name <vault-name> --name <secret-name> --file <private-key-file-path>
```

If your private key is passphrase protected, you will also need to add a secret to store the passphrase.

You now need to add the secrets to **Secret definitions** in {maia}. Read [Secrets and secret definitions](/docs/guides/secrets-and-secret-definitions#create-a-secret-definition-hybrid-saas) for details.
