Skip to content

Add optional RSA key authentication and token regeneration support for Snowflake #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 16, 2025
Merged

Add optional RSA key authentication and token regeneration support for Snowflake #159

merged 2 commits into from
Jun 16, 2025

Conversation

brunobrn
Copy link
Contributor

Summary

This PR introduces optional support for Snowflake JWT authentication using RSA private keys, in addition to the existing password-based approach. It also implements automatic token regeneration to support long-lived or spaced query executions.

These enhancements maintain backward compatibility with existing configurations and require no changes for current users using password authentication.

Key Changes

🔐 RSA Private Key Authentication (JWT)

  • Adds support for reading PEM-encoded RSA private keys via the private_key_file URL query parameter.
  • Builds a gosnowflake.Config with AuthTypeJwt using the RSA key.
  • Allows users to securely authenticate with Snowflake using best practices recommended by Snowflake.

Usage Example:

connections:
  - "snowflake://user@account?private_key_file=/key/mykey.pem&role=SYSADMIN"

🔁 Automatic JWT Token Regeneration

  • Tracks token expiration time and automatically regenerates the connection/token before each job run if expired (default: every 1 hour).

  • Enables safe execution of scheduled jobs with long intervals (e.g., 1h, 6h+) without risk of token expiry.

Why This Matters

  • Security: RSA keys provide stronger, more secure authentication than passwords.

  • Reliability: Spaced jobs won't fail due to token expiry — ideal for Prometheus scraping Snowflake at longer intervals.

  • Flexibility: Auth method is automatically inferred based on the presence of private_key_file in the connection string.

Compatibility

✅ Fully backward compatible.
If private_key_file is not present, the connection will use the default password method as before.

Related Files Modified

  • job.go: Dual-mode auth logic (RSA vs. password), token tracking.

  • config.go: Adds optional snowflakeDSN and tokenExpirationTime to connection struct.

@brunobrn brunobrn mentioned this pull request May 20, 2025
Closed
@brunobrn
Copy link
Contributor Author

Hello guys!
It's possible to check this PR to see if the idea just worth the effort?

In November, we will no longer be able to log in to snowflake using password anymore.

@dewey
Copy link
Member

dewey commented Jun 12, 2025

Hey, I'm assuming you already have this running in production and tested that? I don't have a way to test this myself at the moment.

dewey
dewey reviewed Jun 12, 2025
View reviewed changes
@brunobrn
Copy link
Contributor Author

Hey, I'm assuming you already have this running in production and tested that? I don't have a way to test this myself at the moment.

Yes, we are already using this branch in our staging environment for two weeks with 19 snowflake accounts connected to it, zero problems and errors so far.

@dewey
Copy link
Member

dewey commented Jun 16, 2025

Thank you for this addition, I don't have a way to verify it myself but as you said you are using it and the code seems fine I'm going to merge it.

@dewey dewey merged commit 19a20bb into justwatchcom:master Jun 16, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dewey dewey dewey left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brunobrn @dewey