Snowflake Key Pair authentication from Salesforce

5 min readMay 29, 2023

(Snowflake Connector)

When creating a Snowflake connection in Salesforce you have three authentication options.

Username and password
Oauth
Key Pair auth

In this article, I will guide you thru the process of setting up Key Pair authentication that might be the most likely authentication type that you might use in a production environment.

This article is a combination of steps that can be found in the Snowflake and Salesforce online documentation. Im just putting all the instructions in one place.

Configuring Snowflake

Generate the Private Key

To start, open a terminal window (command windows on Windows) and generate a private key.

Use the following command ( I’m using 1234 as Encryption password)

#For Snowflake Connector
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out sc_rsa_key.p8

The command generates a private key in PEM format.

Generate a Public Key

From the command line, generate the public key by referencing the private key that you created in the previous step (sc_rsa_key.p8).

The following command assumes the private key is encrypted and contained in the file named sc_rsa_key.p8 for the Snowflake Connector and soc_rsa_key.p8 for the Snowflake Output Connector.

#For Snowflake Connector
openssl rsa -in sc_rsa_key.p8 -pubout -out sc_rsa_key.pub

The command generates the public key in PEM format.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+Fw2qv4Roud3l6tjPH4
zxybHjmZ5rhtCz9jppCV8UTWvEXxa88IGRIHbJ/PwKW/mR8LXdfI7l/9vCMXX4mk
...
-----END PUBLIC KEY-----

Assign the Public Key to a Snowflake User

Execute an ALTER USER command to assign the public key to a Snowflake user.

ALTER USER TO_SALESFORCE SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';

Verify the User’s Public Key Fingerprint

DESC USER TO_SALESFORCE;
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+
| property            | value                                               | default | description                                  |
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+
| NAME                | JSMITH                                              | null    | Name                                         |
...
...
| RSA_PUBLIC_KEY      | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...     | null    | RSA public key of the user                   |
| RSA_PUBLIC_KEY_FP   | SHA256:nvnONUsfiuycCLMXIEWG4eTp4FjhVUZQUQbNpbSHXiA= | null    | Fingerprint of user's RSA public key.        |
| RSA_PUBLIC_KEY_2    | null                                                | null    | Second RSA public key of the user            |
| RSA_PUBLIC_KEY_2_FP | null                                                | null    | Fingerprint of user's second RSA public key. |
...
+---------------------+-----------------------------------------------------+---------+----------------------------------------------+

Execute a DESCRIBE USER command to verify the user’s public key.

Now, I will not take credit for putting together the information above, It is a copy paste from the Snowflake documentation with minor adjustments.

Configuring Salesforce

We will be using CRM Analytics to move data between Salesforce and Snowflake. If you need end to end instruction on how to ETL data from Salesforce to Snowflake please visit this article.

To configure a CRM Analytics connector for Snowflake to use Key Pair Authentication I will assume that CRM Analytics is up and running.

Configuring the Snowflake Connector

While in Sales Cloud go to the top left navigation pane (the 3x3 dots below the blue cloud) and search for Analytics Studio.

Select Analytics Studio

Once you are in Analytics Studio on the Left navigation pane (mid-screen) Select Data Manager.

In Data Manager select Connections in the left navigation pane.

Select New Connection in the top right corner.

Search for Snowflake, select Snowflake Connector, and click Next.

Fill in the required information to connect to your Snowflake instance. For the sake of the demo, I will be using username and password to login to Snowflake.

Important: Developer Name is the name that will be visible when you start creating your Recipes.

In Authentication Type box replace Password with PrivateKey

In the Snowflake setup part (Last step) we added Key Pair to the SALESFORCE account.

Username: TO_SALESFORCE

Password: blank

Private Key: Open up the sa_rsa_key.p8 file and copy paste the text that is in the file but remove the first and last row ( — — -BEGIN ENCRYPTED PRIVATE KEY — — — ) and ( — — -END ENCRYPTED PRIVATE KEY — — -)

Before

After


MIIE6TAbBgkqhkiG9w0BBQMwDgQILYPyCppzOwECAggABIIEyLiGSpeeGSe3xHP1
wHLjfCYycUPennlX2bd8yX8xOxGSGfvB+99+PmSlex0FmY9ov1J8H1H9Y3lMWXbL
...

Once you have removed the first and last row copy the text to the Private Key box.

Private Key Passphrase: 1234

Private Key Passphrase is the Encryption password that we used when we created the private key (1234)

Account: should be in the format organisation-account

In my example the Snowflake Account name is IZ27431 and the Organization name is WEELGRT so the information that is needed in the field Account is WEELGRT-IZ27431.

Role: SALESFORCE

I’m using a Database called DEMODB and the Schema called SALESFORCE and a Virtual Warehouse with the name XSMALL

Click Save and Test and if all went well you should be getting a green confirmation banner.

For more information visit the Salesforce documentation page

Congratulations you have successfully setup Key Pair authentication the Snowflake Connector in Salesforce.