gosnowflake
gosnowflake copied to clipboard
snowflakedb
SNOW-161723: Add example to authenticate via private key
I've searched in entire repository, but I haven't founded an example to estabilish a keypair authentication to Snowflake. Is it possible to add a simple example to do it?
This is supported but relatively confusing. The documentation here https://docs.snowflake.com/en/user-guide/key-pair-auth.html explains how to get the keys setup for the user.
In this driver, the URL for priv/pub auth will need authenticator=SNOWFLAKE_JWT&privateKey=<key> appended as parameters to the url, e.g. user[:password]@account/db?authenticator=SNOWFLAKE_JWT&privateKey=<key>. Because the encoder is expecting URL safe base64 you cannot use the key as is, because base64 encoding from openssl is not URL safe:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
egrep -v '^(-----BEGIN PRIVATE KEY|-----END PRIVATE KEY)' rsa_key.p8 | \
tr -d '\n' | \
sed 's/+/-/g; s/\//_/g' > rsa_key_nohdr_urlbase64.p8
The key in rsa_key_nohdr_urlbase64.p8 will be a base64 encoded url safe pkcs#8.
@lyuboxa How would you do this with an encrypted private key? Do you decrypt it at the client side? I have a keypair in PKCS#8 that works in SnowSQL but I can't figure out how to use it with the driver. Also in either case, do you pass on the PEM separator? I.e.:
-----BEGIN PRIVATE KEY-----<KEY HERE>-----END PRIVATE KEY-----
@lyuboxa How would you do this with an encrypted private key? Do you decrypt it at the client side? I have a keypair in PKCS#8 that works in SnowSQL but I can't figure out how to use it with the driver. Also in either case, do you pass on the PEM separator? I.e.: `-----BEGIN PRIVATE KEY-----<KEY HERE>-----END PRIVATE KEY----
You can decrypt the key and pass it to the driver, the key itself is used for signing the JWT token. You can look here for some guidance https://github.com/snowflakedb/gosnowflake/blob/master/priv_key_test.go
