Since the second half of 2024, Snowflake has been announcing that it will strengthen its security measures for user authentication. One of these measures will be to require the use of MFA for human users and defining more specific criteria for what constitutes “healthy” users in terms of authentication. For example, using key pair authentication and adding IP-based security rules it’s considered best practice and a healthy user authentication.

Why Use Key Pair Authentication?

Key pair authentication provides an additional layer of security by eliminating the need to store passwords in plain text. Instead, it uses a pair of cryptographic keys: a public key and a private key. The private key is kept secure with the user, while the public key is stored in Snowflake.

This method is not only more secure but also more convenient for automation and programmatic access. We can use this method along with Snowflake’s Network Policies as an alternative to MFA. This ensures that the user authenticating in this way is still considered to comply with Snowflake’s security best practices, while avoiding the need to use MFA every time we access Snowflake from a tool like DataGrip.

How to Use Key Pair Authentication According to Snowflake Documentation

The process is as follows:

1. We need to create the public and private keys.
2. Next, we need to update the user’s authentication in Snowflake to allow them to authenticate with the public key.
3. Finally, we need to include certain parameters in the JDBC connection in the tool we want to use, for example DataGrip.

How to Create Public and Private Authentication Keys

Snowflake provides a set of commands in its documentation to generate key pairs compatible with its platform. These commands ensure that the keys are in the correct format and contain all the necessary parameters. To do this, execute these two commands in the terminal or command line:

• This command generates a private key without an encryption password:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

• Alternatively, we can use this command to include an encryption key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

Both options generate a 2048-bit RSA key and convert it to PKCS#8 format. Once we have created the private key with one of the above commands, it is time to create the public key with the following command:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

If we created the private key with an encryption key, we will need to type the password when creating the public key.

Finally, we need to open the public key with a text editor and copy all the text between the lines “BEGIN PUBLIC KEY” and “END PUBLIC KEY”:

-----BEGIN PUBLIC KEY-----
MIIBIjAPQ.....
-----END PUBLIC KEY-----

How to Assign the Public Key to a Snowflake User

Now that the keys are generated, it is time to allow a specific user to use them. To do this, execute the following command in Snowflake with a role that owns the user or at least using the SECURITYADMIN role:

ALTER USER mi_usuario SET RSA_PUBLIC_KEY='MIIBIjAPQ.....';

As mentioned earlier, it is important not to include the entire text of the public key, but only the key itself, without the “BEGIN PUBLIC KEY” or “END PUBLIC KEY”.

Using Key Pair Authentication with JDBC Connections

Snowflake also has detailed documentation for using key pair authentication in connections via the JDBC connector. To do this, we will need to include certain additional parameters in the JDBC connection string:

• Path where the public key is located
• Encryption key (only if we created the private key with one)

The Problem with DataGrip

The problem I encountered is that the keys generated this way do not work when used in DataGrip, as it returns the following error message:

use java.security.interfaces.RSAPrivateCrtKey.class for the private key

After asking Claude, since I am not an expert in these topic, it seems that the error indicates that the private key is not in the format expected by the DataGrip JDBC driver. However, when asking Claude for a solution, it offers a way to avoid this error by creating the public and private keys in another way that is compatible with RSAPrivateCrtKey and contains all the necessary parameters.

In this regard, the alternative that worked for me is to follow these steps:

1. Generate the RSA key:

openssl genrsa -out temp_key.pem 2048

2. Convert the generated key to PKCS#8 format:

openssl pkcs8 -topk8 -inform PEM -in temp_key.pem -out rsa_key.p8 -nocrypt

3. Generate the public key:

openssl rsa -in temp_key.pem -pubout -out rsa_key.pub

4. Delete the temporary key:

rm temp_key.pem

Seems like these steps ensure that the private key contains all the necessary parameters and is compatible with RSAPrivateCrtKey, thus resolving the error in DataGrip.

How to Use Key Pair in DataGrip with Snowflake

Next, in the Snowflake connection configuration in DataGrip, we can edit the JDBC URL as follows:

jdbc:snowflake://mySnowflalkeAccount.snowflakecomputing.com? warehouse=myWarehouse&role=myRol&private_key_file= /route/to/key/rsa_key.p8&private_key_pwd=myPassword

In that JDBC connector string, we can include the parameters we need, such as the warehouse to use, the role with which we want to enter Snowflake, etc. But what is essential is to include the last two parameters:

• private_key_file: The path where the private key is located on my computer.
• private_key_pwd: The encryption key used when creating the key.

If we test the connection again, it should now work without any problems, and we can use DataGrip with key pair authentication, thus avoiding MFA. Remember that according to Snowflake’s guidelines, a user is considered secure if key pair authentication is combined with Network Policies to limit access by IP.