Key Pair Authentication

This example shows how to connect to Snowflake using key pair authentication.

Key pair authentication is a Snowflake-recommended method that replaces database passwords with cryptographic keys for better security.

Documentation

• Key-pair authentication guide
• SDK documentation
• Troubleshooting guide

How it Works

Key pair authentication uses two linked keys: a private key (kept secret) and a public key (shared with Snowflake). You add the public key to your Snowflake user account, then use the private key to authenticate.

When you connect, your private key signs a JSON Web Token (JWT) that proves your identity. Snowflake verifies the JWT using the public key you previously provided. The private key is never sent to Snowflake. This method is more secure than traditional passwords because no password or secret is transmitted over the network or stored with Snowflake.

Prerequisite

• A Snowflake user account with a public key added.

Steps

1. Load your private key.
   • For development/testing, it can be read from a file.
   • In production, use AWS Secrets Manager, Azure Key Vault, or another secure storage solution.
2. Create a connection with the options authenticator: "SNOWFLAKE_JWT" and privateKey.
3. Pass it to promisifyConnection and call connect().

Generating Keys for Testing

For testing, you can generate a key pair locally using OpenSSL (on macOS/Linux) or OpenSSH (on all platforms, including Windows).

To generate a key pair using OpenSSH (select the commands for your platform):

macOS/Linux

ssh-keygen -t rsa -b 2048 -f rsa_key.p8 -m PKCS8
ssh-keygen -f rsa_key.p8.pub -e -m pem > rsa_key.pub
rm rsa_key.p8.pub

PowerShell (Windows)

ssh-keygen -t rsa -b 2048 -f rsa_key.p8 -m PKCS8
ssh-keygen -f rsa_key.p8.pub -e -m pem | Out-File -FilePath rsa_key.pub -Encoding ASCII
rm rsa_key.p8.pub

You’ll be prompted for an optional password to protect the private key.

This creates rsa_key.p8 (a private key) and rsa_key.pub (the corresponding public key). Add the public key to your Snowflake user.

Example

import * as crypto from "node:crypto";
import * as fs from "node:fs/promises";
import { promisifyConnection } from "snowflake-promise";
import snowflake from "snowflake-sdk";

// Get the private key from secure storage, such as AWS Secrets Manager
// or Azure Key Vault
let privateKey = await getFromSecureStorage("snowflake-private-key");

// Alternative: Read it from the filesystem (for development/testing only)
// let privateKey = await fs.readFile("/path/to/rsa_key.p8", "utf8");

// If the key is password-protected, decrypt it:
if (privateKey.includes("ENCRYPTED")) {
  const privateKeyObject = crypto.createPrivateKey({
    key: privateKey,
    format: "pem",
    passphrase: "your-private-key-password"
  });
  privateKey = privateKeyObject.export({
    format: "pem",
    type: "pkcs8"
  });
}

// Create the connection, using the private key to authenticate
const connection = promisifyConnection(
  snowflake.createConnection({
    account: "your-account",
    username: "your-username",
    authenticator: "SNOWFLAKE_JWT",
    privateKey: privateKey,
  })
);

try {
  await connection.connect();
  console.log("Successfully connected to Snowflake");
} catch (error) {
  console.error("Connection failed:", error);
  return;
}

// Now you can execute queries
// const { resultsPromise } = connection.execute({ sqlText: "SELECT 1" });