Start of Main Content

Breaking Up with Single-Factor: A Guide to connecting your BI Tools to Snowflake using RSA Key Pairs

Earlier this year, Snowflake announced plans to block single-factor authentication. Due to client feedback regarding the complexity of migrating all authentications in the original timeline, Snowflake have extended the final enforcement date to October 2026. If you are still using individual username-password authentication, this blog series is here to help you migrate in time!

What does enforcement look like? When the deadline is finally enforced, BI developers won’t be able to use their personal Snowflake login credentials when developing in BI tools, even if they have MFA enabled, finding errors like this:

A screenshot of the Unable to connect error in PowerBI.

You now have three options to authenticate your BI tools (maybe fewer depending on your BI tool of choice): OAuth, RSA key pairs, or PAT tokens. In this blog series, we will explore these three connection options for some of the most popular BI tools.

Looking for alternatives like Programmatic Access Tokens (PAT) or OAuth? Check out our other blogs:

  • Breaking Up with Single-Factor: A Guide to connecting your BI Tools to Snowflake using Programmatic Access Tokens
  • Breaking Up with Single-Factor: A Guide to connecting your BI Tools to Snowflake using OAuth 

What are RSA Key pairs?

Setting up RSA Key pairs on Snowflake

Using RSA in your BI tool

How to use an RSA Key Pair in Tableau

How to use am RSA Key Pair in PowerBI

How to use an RSA Key Pair in Sigma

How to use an RSA Key Pair in Omni

How to use an RSA Key Pair in Domo

How to use an RSA Key Pair in Looker

What are RSA Key pairs?

Key pair authentication is a method used to authenticate a user or service (like a BI tool connection) based on a pair of keys: a private key, which remains confidential, and a public key, which is shared.

In Snowflake, users or services can authenticate using RSA-2048 private keys instead of traditional passwords.

The steps are the following:

1. Generate Key Pairs:

The user or service generates a pair of keys (private and public). This is typically accomplished using OpenSSL.

2. Register the Public Key with Snowflake

3. BI tool Connection Creation and Configuration: The connection in the BI tool is created using the private key from step 1. To authenticate the connection request, Snowflake issues a challenge to the BI tool. The tool then verifies its identity using its private key, without ever exposing it.

4. Key Rotation

After a predetermined period or under specific conditions, the old key pair is retired and replaced with a new one. The fresh public key is then registered with Snowflake, and the cycle repeats.

Setting up RSA Key pairs on Snowflake

Note: If you are using Omni, it can generate the key pair for you, you can skip directly to the Omni section of this blog. If you prefer to bring your own Private Key, follow Step 1 below for an unencrypted key. Omni doesn’t allow you to bring your own public key.

1. Generate the Private Key

Depending on which BI tool you will use, you have the option to generate encrypted or unencrypted private keys. Generally, it is safer to generate encrypted keys, check your BI tool below to know if encrypted keys are supported.

To generate an unencrypted version, open a terminal window and use the following command:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

To generate an encrypted version use the following command:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

When you run the command, OpenSSL will prompt you to enter and verify a password which is used as the key for this encryption.

2. Generate the Public Key

Run the following command. If you named your file something different, replace rsa_key.p8 with your file name.

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

3. Save the two PEM files somewhere secure.

4. Assign the public key to a Snowflake user.

Run this command on snowflake, we recommend you do this for a service user that you will then use for the BI tool connection. 

Alter user command in snowflake to set a user’s RSA key.

5. Verify the user’s public fingerprint

Run this command on snowflake:

Command in snowflake to verify the public fingerprint.

Copy the output and then run the following command on the command line:

openssl rsa -pubin -in rsa_key.pub -outform DER | 
openssl dgst -sha256 -binary | openssl enc -base64

Both outputs should match.

Using RSA in your BI tool

Once you have both your keys generated and your Public key registered in Snowflake, the next steps will vary depending on your BI tool. Here we have detailed the steps for some of the most popular BI tools that our clients use.

How to use an RSA Key Pair in Tableau

  1. Sign in to Tableau Cloud or Server and navigate to your My Account Settings page.
  2. In the Security Section find Saved Credentials for Data Sources
  3. Next to Snowflake, click Add.
  4. In the Add a New Saved Credential window, select Key-pair Authentication, and then click Add.
  5. Enter your Snowflake server, Role (optional), and the service user name associated with these credentials.
  6. For Private Key File, click Choose a file and select the file that contains your private key. If encrypted, enter the passphrase in the Password field, and then click Add.

How to use am RSA Key Pair in PowerBI

PowerBI doesn’t support RSA Key Pair authentication for Snowflake. Please see our blogs on OAuth and PAT for alternative authentication options

How to use an RSA Key Pair in Sigma

Sigma supports both encrypted and unencrypted key pairs. We recommend using encryption.

  1. Log into Sigma as Administrator and navigate to Administration > Connections. Click Create Connection and give it a name.
  2. Select Snowflake as the type
  3. Enter your snowflake details:
    1. Snowflake account and warehouse.
    2. Select Key Pair authentication.
    3. Enter the service user name.
    4. Paste the private key (copy it from the file) and the passphrase if encrypted (optional).
    5. Enter the service user role.
Screenshot of the new connection screen in Sigma. It shows that we have filled the “Account” and “warehouse” sections with the snowflake details. For “authentication” we have selected “Key Pair”; for “user” we have entered “sigma_service_account”, We have filled both the Private Key and Private Key passphrase, and for role we have entered the role we created for this user.

How to use an RSA Key Pair in Omni

https://docs.omni.co/docs/connections/database/snowflake

Encrypted key files are not supported by Omni

  1. In Omni, click Settings > Connections.
  2. Click Add connection and select Snowflake.
  3. Enter your Snowflake details like account, warehouse, database and other required fields.
  4. Under username, enter the service user name.
  5. Use the Authentication Type dropdown to select Key Pair
  6. If you are generating your Key Pair in Omni:
    1. In the Keypairs tab, click Generate key-pair.
    2. Click Copy next to the public key.
    3. Navigate back to your Snowflake account and run the following: 
      alter user omni_user set RSA_PUBLIC_KEY='COPIED_PUBLIC_KEY';
    4. In the Keypair tab in Omni, click the toggle in the Active column to enable the keypair.
  7. If you are bringing your own Key Pair:
    1. In the Keypairs tab, click Add existing key.
    2. Paste the private key into the dialog (Omni will automatically add -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- if the key doesn't have them.)
    3. Click Add keypair. Omni will automatically generate the public key and redirect you back to the Keypairs tab.
    4. Click Copy next to the newly-generated public key.
    5. Navigate back to your Snowflake and run the following: 
      alter user omni_user set RSA_PUBLIC_KEY='COPIED_PUBLIC_KEY';
    6. In the Keypair tab in Omni, click the toggle in the Active column to enable the keypair.

How to use an RSA Key Pair in Domo

Domo supports both encrypted and unencrypted key pairs. We recommend using encryption.

  1. Navigate to the Data Warehouse.
  2. In the left panel, select Manage Cloud Connections.
  3. In the modal, select Snowflake.
  4. Hover over an existing integration and select Options > Edit account or create a new integration.
  5. In the integration modal under Connect with select Key pair. The modal offers the option to review the Snowflake documentation on key-pair authentication.
  6. Enter your snowflake hostname:<account_name>.snowflakecomputing.com.
  7. Enter your service user name.
  8. Select Choose a File and upload your encrypted private key file.
  9. Enter your private key passphrase for the encrypted file.

How to use an RSA Key Pair in Looker

RSA is Looker’s recommended authentication method, as it allows using PDTs, whereas OAuth does not. Encrypted key files are not supported by Looker.

  1. In the Admin section of Looker, select Connections, and then click Add Connection.
  2. In Database Settings - Host: Enter the Snowflake hostname. It will be: <account_name>.snowflakecomputing.com.
  3. In Database Settings - Authentication Method: Select Key Pair
  4. In the username field enter the service user name that will be used to connect to Snowflake.
  5. In the Key Pair File field upload your unencrypted key file.

RSA Key Pairs is just one of the options you have to authenticate your BI tool connection to Snowflake. Please check out our other blogs on PAT and OAuth to see other secure alternatives.

Need help setting up your snowflake to BI connection fast before the deprecation deadline? Contact us, we are already helping our clients switch their connections.

Published:
  • Data and Analytics Engineering
  • Analytics and Visualizations
  • Data Governance and Security
  • Data Reporting and Dashboarding
  • Data Warehouse
  • Data Governance
  • Business Intelligence
  • Snowflake
  • Looker
  • PowerBI
  • Tableau
  • Omni
  • Sigma
  • Domo

Take advantage of our expertise on your next project

Contact Us