Snowflake

Snowflake Key Pair Authentication: Complete Guide from Key Generation to Rotation

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Key Pair Authentication is a Snowflake authentication method that uses an RSA public/private key pair instead of a password. Because no password is involved, it is ideal for service accounts (ETL pipelines, CI/CD jobs, automation scripts, etc.). The key must be RSA 2048-bit or larger. You register the public key on the Snowflake user and the client authenticates using the private key.

Generating Keys with openssl

# Step 1: Generate a private key (no passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

# Step 1b: Generate a private key (with passphrase - recommended for production)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -v2 aes256
# You will be prompted for the passphrase

# Step 2: Generate the public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

# Step 3: Inspect the public key (strip header/footer before registering in Snowflake)
cat rsa_key.pub
# -----BEGIN PUBLIC KEY-----
# MIIBIjANBgkq...
# -----END PUBLIC KEY-----

Registering the Public Key in Snowflake

-- Register the public key on the user (single-line string with header/footer/newlines stripped)
ALTER USER etl_service_account
  SET RSA_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...';

-- Check the fingerprint of the registered public key
DESCRIBE USER etl_service_account;
-- The SHA-256 fingerprint appears in RSA_PUBLIC_KEY_FP

-- Inspect public key registration info
SELECT
  name,
  rsa_public_key_fp,
  rsa_public_key_2_fp
FROM SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE name = 'ETL_SERVICE_ACCOUNT';

Connecting with SnowSQL

# Connect with a private key (no passphrase)
snowsql -a <account> -u etl_service_account \
  --private-key-path rsa_key.p8

# Connect with a passphrase-protected private key
snowsql -a <account> -u etl_service_account \
  --private-key-path rsa_key.p8
# You will be prompted for the passphrase

# Pass the passphrase via environment variable
export SNOWSQL_PRIVATE_KEY_PASSPHRASE='my_passphrase'
snowsql -a <account> -u etl_service_account \
  --private-key-path rsa_key.p8

Connecting with the Python Connector

import snowflake.connector
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

# Load the private key file (with passphrase)
with open("rsa_key.p8", "rb") as key_file:
    private_key = serialization.load_pem_private_key(
        key_file.read(),
        password=b"my_passphrase",  # Use None if there is no passphrase
        backend=default_backend()
    )

# Convert to DER format
private_key_bytes = private_key.private_bytes(
    encoding=serialization.Encoding.DER,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)

# Connect to Snowflake
conn = snowflake.connector.connect(
    account="<account>",
    user="etl_service_account",
    private_key=private_key_bytes,
    warehouse="ETL_WH",
    database="RAW",
    schema="PUBLIC"
)

cursor = conn.cursor()
cursor.execute("SELECT CURRENT_USER(), CURRENT_ROLE()")
print(cursor.fetchone())

Connecting with the JDBC / Spark Connector

// JDBC connection properties
Properties props = new Properties();
props.put("account", "<account>");
props.put("user", "etl_service_account");
props.put("authenticator", "SNOWFLAKE_JWT");
props.put("private_key_file", "/path/to/rsa_key.p8");
props.put("private_key_file_pwd", "my_passphrase");

// Spark Connector configuration
val sfOptions = Map(
  "sfURL" -> "<account>.snowflakecomputing.com",
  "sfUser" -> "etl_service_account",
  "pem_private_key" -> privateKeyString,
  "sfDatabase" -> "RAW",
  "sfSchema" -> "PUBLIC",
  "sfWarehouse" -> "ETL_WH"
)

Key Rotation Procedure

Snowflake supports two public key slots (RSA_PUBLIC_KEY / RSA_PUBLIC_KEY_2), which allows zero-downtime key rotation.

# Step 1: Generate a new key pair
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key_new.p8 -v2 aes256
openssl rsa -in rsa_key_new.p8 -pubout -out rsa_key_new.pub

-- Step 2: Register the new public key on RSA_PUBLIC_KEY_2
ALTER USER etl_service_account
  SET RSA_PUBLIC_KEY_2 = 'MIIBIjANBgkq...new public key...';

-- At this point, both the old and new private keys can authenticate

# Step 3: Switch applications over to the new private key
# (wait until every application has been switched)

-- Step 4: Remove the old public key
ALTER USER etl_service_account
  SET RSA_PUBLIC_KEY = '';

-- Step 5: Promote the new public key to the primary slot (optional)
ALTER USER etl_service_account
  SET RSA_PUBLIC_KEY = 'MIIBIjANBgkq...new public key...';
ALTER USER etl_service_account
  SET RSA_PUBLIC_KEY_2 = '';

Authentication Method Comparison

Authentication MethodTargetInteractiveSecret Management
Password AuthenticationUser / Service AccountSupportedPassword (rotate regularly)
Key Pair AuthenticationService accounts recommendedNon-interactivePrivate key file + passphrase
SSO (SAML 2.0)UserInteractiveManaged by the IdP
OAuthApplicationBoth supportedAccess token (time-limited)

Best Practices

  • Use passphrase encryption: always use a passphrase-encrypted PKCS#8 private key in production.
  • Integrate with a secret manager: store the private key and passphrase in AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, etc., and fetch them at application startup.
  • Rotate keys on a schedule: schedule key rotation every 90-180 days and use the two-slot mechanism to perform zero-downtime switchovers.
  • Separate service accounts: create distinct service accounts (users) per workload (ETL, BI, CI/CD, etc.) and assign a dedicated key pair to each.
  • Audit: audit key pair authentication usage by filtering the LOGIN_HISTORY view on FIRST_AUTHENTICATION_FACTOR = 'RSA_TOKEN'.
-- Audit key pair authentication usage
SELECT
  user_name,
  client_ip,
  first_authentication_factor,
  is_success,
  error_message,
  event_timestamp
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE first_authentication_factor = 'RSA_TOKEN'
  AND event_timestamp >= DATEADD(DAY, -30, CURRENT_TIMESTAMP())
ORDER BY event_timestamp DESC;

Check Your Understanding

Security & Governance

問題 1

You are planning a private key rotation for a service account that uses key pair authentication. Which Snowflake operation should you perform first to complete the rotation with zero downtime?

  1. Use ALTER USER SET RSA_PUBLIC_KEY to directly overwrite the existing public key with the new one
  2. Register the new public key on RSA_PUBLIC_KEY_2 so both the old and new keys are temporarily valid
  3. Use DROP USER to delete the existing user and recreate it with the new public key
  4. Clear the existing key with ALTER USER SET RSA_PUBLIC_KEY = '' and then set the new key

正解: B

For zero-downtime key rotation, registering the new public key on the RSA_PUBLIC_KEY_2 slot creates a window where both the old and new private keys can authenticate. During that window you switch applications over to the new private key, and once every application has been migrated you remove the old public key. Directly overwriting RSA_PUBLIC_KEY would cause applications that have not yet been switched to fail authentication.

Frequently Asked Questions

Should I use a passphrase-protected private key for key pair authentication?

In production you should use an encrypted private key with a passphrase (PKCS#8 + AES-256 encryption). An unprotected private key can be used for authentication immediately if the file leaks. A passphrase-protected key requires both the private key file and the passphrase, raising the security bar significantly. In CI/CD pipelines, the recommended design is to store the passphrase in a secret manager such as AWS Secrets Manager or Azure Key Vault.

Why does Snowflake support both RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2?

Snowflake supports two public key slots per user (RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2) so that you can perform zero-downtime key rotation (key rollover). The flow is: generate a new key pair, set the new public key on RSA_PUBLIC_KEY_2 → switch your applications over to the new private key → remove the old key with RSA_PUBLIC_KEY = '' → optionally promote RSA_PUBLIC_KEY_2 to RSA_PUBLIC_KEY. This sequence lets you rotate without service interruption.

Can key pair authentication be combined with MFA?

Key pair authentication cannot be combined with MFA. It is designed primarily for service accounts (non-interactive connections) and is incompatible with the interactive prompts MFA requires. The recommended split is SSO (SAML 2.0) + MFA for interactive user accounts, and key pair authentication for non-interactive service accounts.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.