Connecting to Snowflake with Key Pair Auth

May 29, 2026 snowflake

Snowflake is shifting away from using usernames and passwords for service accounts in favor of key-pair authentication.

To create a key-pair in Snowflake follow this guide.

When generating a key pair, it's recommended to create an encrypted private key that requires a password to unlock it. This adds an extra layer of security and makes it more difficult for the key to be leaked. It's best to keep the password separate from the key, storing it in a secure location such as an environment variable.

To generate an encrypted private key in .p8 format, use the following command:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

The private key will have the following format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6T...
-----END ENCRYPTED PRIVATE KEY-----

To generate a public key from the private key, use the following command:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

The public key will have the following format:

-----BEGIN PUBLIC KEY-----
MIIBIj...
-----END PUBLIC KEY-----

To associate the public key with a user, use the following SQL command (replace any newlines):

ALTER USER example_user SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

The components of key-pair authentication are:

  1. A private key (a .p8 file) used to sign requests
  2. A private key password used to unlock the .p8 file
  3. A public key used to verify requests

One of the drawbacks of using API keys or passwords is that the secret must be transmitted in at least one request. JSON Web Tokens (JWTs) address this issue by swapping secrets for short-lived tokens, but the request to obtain the JWT still passes a secret that can be intercepted. Short-lived tokens are beneficial because they have a limited lifetime and can be rotated or expire if compromised.

Public key encryption is a more secure approach because it eliminates the need to pass credentials or tokens. Instead, the request is encrypted on the client-side, and the destination can decrypt and verify the request using the corresponding public key. No passwords or API-tokens are sent in the request.

Here are some examples I've put together on using key-pair authentication in Snowflake:

  1. Python example
  2. Snowflake CLI example
  3. Terraform example