Snowflake Key Pair Authentication
Snowflake Key Pair Authentication
To comply with Snowflake’s updated security requirements and strengthen authentication, Daton is transitioning from username-password authentication to key pair authentication for Snowflake destinations.
1. Why is this change happening?
Snowflake has mandated Multi-Factor Authentication (MFA) for all users.
Service accounts are not ideal for MFA, and Snowflake recommends using key pair authentication for automated tools and integrations.
This ensures more secure, non-interactive access to Snowflake.
2. What is key pair authentication?
It uses a public-private key pair instead of a password.
Daton generates this key pair during destination setup.
The private key is securely stored in Daton.
You must copy and paste the public key into your Snowflake user configuration.
3. What will change in Daton?
Daton will no longer support username-password authentication for new Snowflake destinations.
Each destination will require a key pair setup.
During configuration, users must update their Snowflake user with the generated public key.
4. Can I use the same Snowflake user across multiple Daton destinations?
No. Each destination must have a unique Snowflake user.
This is because each key pair is linked to a specific user, and multiple destinations cannot share the same key.
5. Can I regenerate a key pair?
Yes. You can regenerate the key by enabling the setting in the first step of destination setup:
“Do you want to regenerate key?”
A new key pair will be generated, and the previous one will be invalidated.
You must update your Snowflake user with the new public key.
6. Where should I paste the public key in Snowflake?
You can set the public key using either the Snowflake UI or SQL command.
Example SQL:
ALTER USER your_user_name SET RSA_PUBLIC_KEY='your_public_key_here';
ALTER USER your_user_name SET TYPE = SERVICE;
7. What happens to existing Snowflake destinations in Daton?
Existing destinations that use username and password will continue to work until they are edited.
However, we strongly recommend completing the migration early, as key pair authentication will soon be mandatory for all Snowflake users.
When you edit an existing destination, Daton will automatically generate a public key, which you must copy and store in the corresponding Snowflake user.
8. Is there a temporary workaround for existing users to bypass MFA?
Yes. Snowflake allows temporarily bypassing MFA for service accounts by setting the user type to LEGACY_SERVICE
.
This option is valid only until November, after which key pair authentication will be mandatory.
To apply this setting, run the following SQL command in Snowflake:
ALTER USER <<your_user_name>> SET TYPE = LEGACY_SERVICE;
This should only be used as a short-term workaround while you complete the migration to key pair authentication.
9. Where can I find help?
Step-by-step instructions: You can find the detailed setup documentation here.
Reach out to us on support@sarasanalytics.com if you have any issues.