Key Pair Authentication is a Snowflake authentication method that uses an RSA public/private key pair instead of a password. Because no password is involved, it is ideal for service accounts (ETL pipelines, CI/CD jobs, automation scripts, etc.). The key must be RSA 2048-bit or larger. You register the public key on the Snowflake user and the client authenticates using the private key.
# Step 1: Generate a private key (no passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
# Step 1b: Generate a private key (with passphrase - recommended for production)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -v2 aes256
# You will be prompted for the passphrase
# Step 2: Generate the public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
# Step 3: Inspect the public key (strip header/footer before registering in Snowflake)
cat rsa_key.pub
# -----BEGIN PUBLIC KEY-----
# MIIBIjANBgkq...
# -----END PUBLIC KEY------- Register the public key on the user (single-line string with header/footer/newlines stripped)
ALTER USER etl_service_account
SET RSA_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...';
-- Check the fingerprint of the registered public key
DESCRIBE USER etl_service_account;
-- The SHA-256 fingerprint appears in RSA_PUBLIC_KEY_FP
-- Inspect public key registration info
SELECT
name,
rsa_public_key_fp,
rsa_public_key_2_fp
FROM SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE name = 'ETL_SERVICE_ACCOUNT';# Connect with a private key (no passphrase)
snowsql -a <account> -u etl_service_account \
--private-key-path rsa_key.p8
# Connect with a passphrase-protected private key
snowsql -a <account> -u etl_service_account \
--private-key-path rsa_key.p8
# You will be prompted for the passphrase
# Pass the passphrase via environment variable
export SNOWSQL_PRIVATE_KEY_PASSPHRASE='my_passphrase'
snowsql -a <account> -u etl_service_account \
--private-key-path rsa_key.p8import snowflake.connector
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
# Load the private key file (with passphrase)
with open("rsa_key.p8", "rb") as key_file:
private_key = serialization.load_pem_private_key(
key_file.read(),
password=b"my_passphrase", # Use None if there is no passphrase
backend=default_backend()
)
# Convert to DER format
private_key_bytes = private_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
# Connect to Snowflake
conn = snowflake.connector.connect(
account="<account>",
user="etl_service_account",
private_key=private_key_bytes,
warehouse="ETL_WH",
database="RAW",
schema="PUBLIC"
)
cursor = conn.cursor()
cursor.execute("SELECT CURRENT_USER(), CURRENT_ROLE()")
print(cursor.fetchone())// JDBC connection properties
Properties props = new Properties();
props.put("account", "<account>");
props.put("user", "etl_service_account");
props.put("authenticator", "SNOWFLAKE_JWT");
props.put("private_key_file", "/path/to/rsa_key.p8");
props.put("private_key_file_pwd", "my_passphrase");
// Spark Connector configuration
val sfOptions = Map(
"sfURL" -> "<account>.snowflakecomputing.com",
"sfUser" -> "etl_service_account",
"pem_private_key" -> privateKeyString,
"sfDatabase" -> "RAW",
"sfSchema" -> "PUBLIC",
"sfWarehouse" -> "ETL_WH"
)Snowflake supports two public key slots (RSA_PUBLIC_KEY / RSA_PUBLIC_KEY_2), which allows zero-downtime key rotation.
# Step 1: Generate a new key pair
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key_new.p8 -v2 aes256
openssl rsa -in rsa_key_new.p8 -pubout -out rsa_key_new.pub
-- Step 2: Register the new public key on RSA_PUBLIC_KEY_2
ALTER USER etl_service_account
SET RSA_PUBLIC_KEY_2 = 'MIIBIjANBgkq...new public key...';
-- At this point, both the old and new private keys can authenticate
# Step 3: Switch applications over to the new private key
# (wait until every application has been switched)
-- Step 4: Remove the old public key
ALTER USER etl_service_account
SET RSA_PUBLIC_KEY = '';
-- Step 5: Promote the new public key to the primary slot (optional)
ALTER USER etl_service_account
SET RSA_PUBLIC_KEY = 'MIIBIjANBgkq...new public key...';
ALTER USER etl_service_account
SET RSA_PUBLIC_KEY_2 = '';| Authentication Method | Target | Interactive | Secret Management |
|---|---|---|---|
| Password Authentication | User / Service Account | Supported | Password (rotate regularly) |
| Key Pair Authentication | Service accounts recommended | Non-interactive | Private key file + passphrase |
| SSO (SAML 2.0) | User | Interactive | Managed by the IdP |
| OAuth | Application | Both supported | Access token (time-limited) |
-- Audit key pair authentication usage
SELECT
user_name,
client_ip,
first_authentication_factor,
is_success,
error_message,
event_timestamp
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE first_authentication_factor = 'RSA_TOKEN'
AND event_timestamp >= DATEADD(DAY, -30, CURRENT_TIMESTAMP())
ORDER BY event_timestamp DESC;Security & Governance
問題 1
You are planning a private key rotation for a service account that uses key pair authentication. Which Snowflake operation should you perform first to complete the rotation with zero downtime?
正解: B
For zero-downtime key rotation, registering the new public key on the RSA_PUBLIC_KEY_2 slot creates a window where both the old and new private keys can authenticate. During that window you switch applications over to the new private key, and once every application has been migrated you remove the old public key. Directly overwriting RSA_PUBLIC_KEY would cause applications that have not yet been switched to fail authentication.
Should I use a passphrase-protected private key for key pair authentication?
In production you should use an encrypted private key with a passphrase (PKCS#8 + AES-256 encryption). An unprotected private key can be used for authentication immediately if the file leaks. A passphrase-protected key requires both the private key file and the passphrase, raising the security bar significantly. In CI/CD pipelines, the recommended design is to store the passphrase in a secret manager such as AWS Secrets Manager or Azure Key Vault.
Why does Snowflake support both RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2?
Snowflake supports two public key slots per user (RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2) so that you can perform zero-downtime key rotation (key rollover). The flow is: generate a new key pair, set the new public key on RSA_PUBLIC_KEY_2 → switch your applications over to the new private key → remove the old key with RSA_PUBLIC_KEY = '' → optionally promote RSA_PUBLIC_KEY_2 to RSA_PUBLIC_KEY. This sequence lets you rotate without service interruption.
Can key pair authentication be combined with MFA?
Key pair authentication cannot be combined with MFA. It is designed primarily for service accounts (non-interactive connections) and is incompatible with the interactive prompts MFA requires. The recommended split is SSO (SAML 2.0) + MFA for interactive user accounts, and key pair authentication for non-interactive service accounts.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...