docs/docs/databases/snowflake/getting-started/rsa-key-pair-auth.mdx
import Thumbnail from '@site/src/components/Thumbnail';
RSA key pair authentication provides a secure method to connect to Snowflake without using traditional username/password authentication. This guide walks you through setting up RSA key pair authentication for use with Hasura's Snowflake connector.
For detailed information about RSA key pair authentication, refer to the Snowflake documentation.
:::info Cloud Provider Compatibility
RSA key pair authentication for Snowflake is supported across all Hasura Cloud providers starting with version v2.48.4-cloud.1. The only exception is Azure East US, where the necessary Java configuration is already set at the infrastructure level.
If you're using an earlier version of Hasura Cloud or experiencing connection issues, we recommend testing your JDBC connection string with a database client like DBeaver first to verify the connection works before configuring it in Hasura.
:::
Generate a 2048-bit RSA private key with PKCS#8 encryption. You'll need to provide a passphrase for the private key:
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
:::info Passphrase Security
Choose a strong passphrase for your private key. You'll need this passphrase later when configuring the JDBC connection string.
:::
Extract the public key from the private key you just created:
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
You can view the public key contents with:
cat rsa_key.pub
Ensure your Snowflake user has the necessary privileges. Refer to the Snowflake documentation for specific privilege requirements.
Log into your Snowflake account and run the following command to assign the RSA public key to your user account:
ALTER USER <your_snowflake_user> SET RSA_PUBLIC_KEY='<contents_of_rsa_key.pub>';
Replace <your_snowflake_user> with your actual Snowflake username and <contents_of_rsa_key.pub> with the contents of
the public key file (excluding the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines).
Convert the private key to a single-line base64 format for use in the JDBC connection string:
base64 -w 0 --input rsa_key.p8 --output snowflake_private_key_base64.txt
You can view the base64-encoded private key with:
cat snowflake_private_key_base64.txt
Create your JDBC connection string using the following format:
jdbc:snowflake://account.snowflakecomputing.com/?user=<username>&warehouse=<sf_warehouse>&db=<dbname>&schema=<schemaname>&private_key_base64=<base64_of_private_key>&private_key_pwd=<passphrase_used_to_create_private_key>
account: Your Snowflake account identifierusername: Your Snowflake usernamesf_warehouse: Your Snowflake warehouse namedbname: Your database nameschemaname: Your schema namebase64_of_private_key: The base64-encoded private key from Step 5passphrase_used_to_create_private_key: The passphrase you used in Step 1jdbc:snowflake://MYCOMPANY-PROD.snowflakecomputing.com/?user=myuser&warehouse=ANALYST_WH&db=mydatabase&schema=public&private_key_pwd=mypassphrase&private_key_base64=MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC...
Before configuring Hasura, test your JDBC connection string using a database client like DBeaver:
Set up your JDBC connection string as an environment variable for better security:
SNOWFLAKE_JDBC_URL) with your complete JDBC connection stringAlternatively, you can directly paste the JDBC connection string in the Hasura Console when adding your Snowflake data source.
:::info Environment Variable Best Practice
Using environment variables for connection strings is recommended as it keeps sensitive information like private keys and passphrases out of your metadata and provides better security.
:::
Once configured, verify that Hasura can successfully connect to your Snowflake database by: