Amazon Fast Suite now helps key pair authentication to Snowflake knowledge supply

Fashionable enterprises face important challenges connecting enterprise intelligence platforms to cloud knowledge warehouses whereas sustaining automation. Password-based authentication introduces safety vulnerabilities, operational friction, and compliance gaps—particularly important as Snowflake is deprecating username password.

Amazon Fast Sight (a functionality of Amazon Fast Suite) now helps key pair authentication for Snowflake integrations, utilizing uneven cryptography the place RSA key pairs change conventional passwords. This enhancement addresses a important want as Snowflake strikes towards deprecating password-based authentication, which requires safer authentication strategies. With this new functionality, Amazon Fast Suite customers can set up safe, passwordless connections to Snowflake knowledge sources utilizing RSA key pairs, offering a seamless and safe integration expertise that meets enterprise safety requirements.

On this weblog put up, we’ll information you thru establishing knowledge supply connectivity between Amazon Fast Sight and Snowflake via safe key pair authentication.

Stipulations

Earlier than configuring key pair authentication between Amazon Fast Suite and Snowflake, guarantee that you’ve the next:

An lively Amazon Fast Suite account with acceptable permissions – You want administrative entry to create and handle knowledge sources, configure authentication settings, and grant permissions to customers. Amazon Fast Suite Enterprise license or Creator position in Amazon Fast Suite Enterprise Sight Version usually present ample entry.
A Snowflake account with ACCOUNTADMIN, SECURITYADMIN, or USERADMIN position – These elevated permissions are important for modifying consumer accounts, assigning public keys utilizing ALTER USER instructions, and granting warehouse and database permissions. For those who don’t have entry to those roles, contact your Snowflake administrator for help.
OpenSSL put in (for key era) – This cryptographic toolkit generates RSA key pairs in PKCS#8 format. Most Linux and macOS programs embrace OpenSSL pre-installed. Home windows customers can use Home windows Subsystem Linux (WSL) or obtain OpenSSL individually.
(Non-obligatory) AWS Secrets and techniques Supervisor entry (for API-based setup) – Required for programmatic configurations, you’ll need IAM permissions to create and handle secrets and techniques, and Amazon Fast Sight API entry for automated deployments and infrastructure as code (IaC) implementations.

Answer walkthrough

We are going to information you thru the next important steps to determine safe key pair authentication between Amazon Fast Sight and Snowflake:

Generate RSA Key Pair – Create private and non-private keys utilizing OpenSSL with correct encryption requirements
Configure Snowflake Person – Assign the general public key to your Snowflake consumer account and confirm the setup
Set up Knowledge Supply Connectivity – Create your connection via both the Amazon Fast Suite UI for interactive setup or AWS Command Line Interface (AWS CLI) for programmatic deployment

Let’s discover every step intimately and safe your Amazon Fast Sight-Snowflake reference to key pair authentication!

Generate RSA key pair:

Navigate to AWS CloudShell in AWS Administration Console and execute the next command to generate the RSA non-public key. You’ll be prompted to enter an encryption passphrase. Select a powerful passphrase and retailer it securely—you’ll need this later when producing the general public key.

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

Run the next instructions to create a public key pair. You’ll be prompted to enter the phrase that you just used within the earlier step.

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

Extract the non-public key content material (together with header and footer):

This shows your non-public key within the format:

-----BEGIN PRIVATE KEY-----[key content]-----END PRIVATE KEY-----

Be aware: Copy your entire output together with the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- strains. You’ll use this entire non-public key (with headers and footers) when creating your Snowflake knowledge supply connection.

Snowflake requires the general public key in a particular format with out headers or line breaks. Run these instructions to extract and format the important thing correctly.

grep -v KEY rsa_key.pub | tr -d 'n' | awk '{print $1}' > pub.Key
cat pub.Key

This may show your formatted public key string. Copy this output—you’ll use it within the subsequent step to configure your Snowflake consumer account.

Assign public key to Snowflake consumer:

ALTER USER  SET RSA_PUBLIC_KEY='';

Confirm the important thing project: Search for the RSA_PUBLIC_KEY property to substantiate if the general public secret is set.

Set up your Snowflake connection in Amazon Fast Suite UI:

Navigate to Amazon Fast Suite in AWS Administration Console and choose Datasets. Then choose the Knowledge sources tab and select Create knowledge supply.

Within the Create knowledge supply pane, enter “snowflake” in Search datasets, choose Snowflake, after which select Subsequent.

Within the New Snowflake knowledge supply pane, enter the information supply identify, then enter the connection kind as Public Community or a Personal VPC Connection. For those who want a VPC connection, see configure the VPC connection in Fast Suite.
Then, enter the database server hostname, database identify, and warehouse identify.
Choose Authentication Kind as KeyPair after which enter the username of the Snowflake consumer.
Within the Personal Key discipline, paste the whole output from cat rsa_key.p8 (together with the BEGIN and END headers). You probably have configured a passphrase throughout key era, present it within the optionally available Passphrase discipline.
After all of the fields are entered, choose the Validate connection button.

After the connection is validated, choose the Create knowledge supply button.
Then within the Knowledge sources record, discover the snowflake knowledge supply that you just created.
From the Motion menu, choose the Create dataset possibility.

Set up your Snowflake Connection utilizing the Amazon Fast Sight API:

Utilizing AWS CLI, create the Amazon Fast Suite knowledge supply connection to Snowflake by executing the next command:

aws quicksight create-data-source 
  --aws-account-id 123456789 
  --data-source-id awsclikeypairtest 
  --name "awsclikeypairtest" 
  --type SNOWFLAKE 
  --data-source-parameters '{
    "SnowflakeParameters": {
      "Host": "hostname.snowflakecomputing.com",
      "Database": "DB_NAME",
      "Warehouse": "WH_NAME",
      "AuthenticationType": "KEYPAIR"
    }
  }' 
  --credentials '{
    "KeyPairCredentials": {
      "KeyPairUsername": "SNOWFLAKE_USERNAME",
      "PrivateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----nPRIVATE_KEYn-----END ENCRYPTED PRIVATE KEY-----",
      "PrivateKeyPassphrase": "******"
    }
  }' 
    --permissions '[
    {
      "Principal": "arn:aws:quicksight:us-east-1: 123456789:user/default/Admin/username,
      "Actions": [
        "quicksight:DescribeDataSource",
        "quicksight:DescribeDataSourcePermissions",
        "quicksight:PassDataSource",
        "quicksight:UpdateDataSource",
        "quicksight:DeleteDataSource",
        "quicksight:UpdateDataSourcePermissions"
      ]
    }
  ]' 
  --region us-east-1

Use the next command to examine the standing of creation:

aws quicksight describe-data-source --region us-east-1 --aws-account-id 123456789 --data-source-id awsclikeypairtest

Initially, the standing returned from the describe-data-source command will probably be CREATION_IN_PROGRESS. The standing will change to CREATION_SUCCESSFUL if the brand new knowledge supply is prepared to be used.

Alternatively, when creating the information supply programmatically through CreateDataSource, you may retailer the username, key and passphrase in AWS Secrets and techniques Supervisor and reference them utilizing the Secret ARN.

After the information supply is efficiently created, you may navigate to the Fast Suite console. Within the Create a Dataset web page, you may view the newly created knowledge supply connection awsclikeypairtest beneath the information sources record. You’ll be able to then proceed to create the datasets.

Cleanup

To wash up your assets to keep away from incurring extra fees, observe these steps:

Delete the key created within the AWS Secrets and techniques Supervisor Console.
Delete the information supply connection created in Amazon Fast Suite.

Conclusion

Key pair authentication represents a transformative development in securing knowledge connectivity between Amazon Fast Suite and Snowflake. By eradicating password-based vulnerabilities and embracing cryptographic authentication, organizations can obtain superior safety posture whereas sustaining seamless automated workflows. This implementation addresses important enterprise necessities, akin to enhanced safety via uneven encryption, streamlined service account administration, and compliance with evolving authentication requirements as Snowflake transitions away from conventional password strategies.

Whether or not deploying via the intuitive Amazon Fast Suite UI or utilizing AWS CLI for Infrastructure as Code implementations, key pair authentication gives flexibility with out compromising safety. The combination with AWS Secrets and techniques Supervisor helps defend the non-public keys, whereas the simple setup course of permits speedy deployment throughout improvement, staging, and manufacturing environments.

As knowledge safety continues to evolve, adopting key pair authentication positions your group on the forefront of finest practices. Enterprise intelligence groups can now deal with extracting actionable insights from Snowflake knowledge quite than managing authentication complexities, in the end accelerating time-to-insight and bettering operational effectivity.

For additional studying, see Snowflake Key-Pair Authentication.