fix(snowflake): dump findings after starting managing accounts in pulumi

2026-02-09 05:44:23 +00:00 · 2025-07-31 18:13:17 +02:00
parent 2fcfcdb9f6
commit 36987e7155
4 changed files with 61 additions and 14 deletions
--- a/base/jargon.md
+++ b/base/jargon.md
@@ -96,8 +96,11 @@
 | OIDC    | OpenID Connect                                         |                                                                                                     |
 | OKR     | Objectives and Key Results                             | Framework helping teams set and track measurable goals                                              |
 | OOM     | Out Of Memory                                          |                                                                                                     |
+| PAT     | Personal Access Token                                  |                                                                                                     |
+| PAT     | Programmatic Access Token                              | Used in [Snowflake]                                                                                 |
 | PDF     | Portable Document Format                               |                                                                                                     |
 | PEBCAK  | Problem Exists Between Chair And Keyboard              |                                                                                                     |
+| PEM     | Privacy Enhanced Mail                                  |                                                                                                     |
 | PGP     | Pretty Good Privacy                                    |                                                                                                     |
 | PII     | Personally Identifiable Information                    |                                                                                                     |
 | PR      | Pull Request                                           | Prevalently used in GitHub                                                                          |
@@ -175,6 +178,7 @@
 [kubernetes]: kubernetes/README.md
 [lora]: lora.md
 [siem]: siem.md
+[snowflake]: snowflake/README.md
 [ssh]: ssh.md
 [sssd]: sssd.md
 [terraform enterprise]: terraform%20enterprise.md
--- a/base/snowflake/README.md
+++ b/base/snowflake/README.md
@@ -377,17 +377,37 @@ Auto-suspend and resume are both enabled by default.

 ## Access with private keys

-Refer [Snowflake terraform provider authentication].
+Refer [Key-pair authentication and key-pair rotation] and [Snowflake terraform provider authentication].
+
+> [!important]
+> Snowflake only accepts keys in the Privacy Enhanced Mail (PEM) format.
+
+Snowflake supports multiple active keys to allow for uninterrupted rotation.<br/>
+Use the `RSA_PUBLIC_KEY` and `RSA_PUBLIC_KEY_2` parameters in `ALTER USER` to associate up to 2 public keys to one user.
+
+> [!tip]
+> Prefer using private keys in the PEM PKCS#8 format, as that is the one Snowflake accepts during authentication.<br/>
+> Some tools (e.g., the [Snowflake CLI]) can use private keys in other formats.

 Procedure:

 1. Generate a keypair.

   ```sh
-   openssl genrsa -out "$HOME/.ssh/snowflake_key" 4096
-   openssl rsa -in "$HOME/.ssh/snowflake_key" -pubout -out "$HOME/.ssh/snowflake_key.pub"
-   openssl pkcs8 -topk8 -inform 'pem' -in "$HOME/.ssh/snowflake_key" \
-     -outform 'PEM' -v2 aes-256-cbc -out "$HOME/.ssh/snowflake_key.p8"
+   openssl genrsa -out "$HOME/.ssh/snowflake.pem" '4096'
+   openssl rsa -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -pubout -outform 'PEM' -out "$HOME/.ssh/snowflake.pub"
+   ```
+
+1. Make sure the private key uses the PKCS#8 format.
+
+   ```sh
+   # unencrypted
+   openssl pkcs8 -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -outform 'PEM' -out "$HOME/.ssh/snowflake.p8" \
+     -topk8 -nocrypt
+
+   # encrypted (will require a password)
+   openssl pkcs8 -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -outform 'PEM' -out "$HOME/.ssh/snowflake.p8" \
+     -topk8 -v2 'aes-256-cbc'
   ```

 1. Assign the key to your user in Snowflake.
@@ -399,9 +419,11 @@ Procedure:
 1. Configure tools to use the key.

   ```sh
-   export SNOWFLAKE_PRIVATE_KEY="$(cat ~/.ssh/snowflake_key.p8)"
-   export SNOWFLAKE_PRIVATE_KEY_PATH="$HOME/.ssh/snowflake_key" SNOWFLAKE_PRIVATE_KEY_PASSPHRASE='somePassword'
-   snow connection add -n 'jwt' --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake_key"
+   export SNOWFLAKE_PRIVATE_KEY="$(cat ~/.ssh/snowflake.p8)"
+   export SNOWFLAKE_PRIVATE_KEY_PATH="$HOME/.ssh/snowflake.pem" SNOWFLAKE_PRIVATE_KEY_PASSPHRASE='somePassword'
+   snow connection add -n 'jwt' --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake.p8"
+   snow connection test -x --account 'xy12345' --username 'MY_SERVICE_USER' \
+     --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake.p8"
   ```

 ## Access with programmatic access tokens
@@ -448,6 +470,10 @@ Rotating a PAT generates a new secret (and a new expiration) for it, and invalid

 Deletion is **permanent**, and allows for **no** recovery/restoration.

+> [!important]
+> One **cannot** modify, rename, rotate, or revoke programmatic access tokens in a session where one used a programmatic
+> access token for authentication.
+
 Requirements:

 - Tokens must belong to Snowflake users with `TYPE=PERSON` or `TYPE=SERVICE`.
@@ -686,11 +712,12 @@ Refer [RoleOut].
 [Authentication policies]: https://docs.snowflake.com/en/user-guide/authentication-policies
 [Controlling network traffic with network policies]: https://docs.snowflake.com/en/user-guide/network-policies
 [Documentation]: https://docs.snowflake.com/en/
+[Key-pair authentication and key-pair rotation]: https://docs.snowflake.com/en/user-guide/key-pair-auth
 [Network rules]: https://docs.snowflake.com/en/user-guide/network-rules
 [Overview of Access Control]: https://docs.snowflake.com/en/user-guide/security-access-control-overview
+[Planning for the deprecation of single-factor password sign-ins]: https://docs.snowflake.com/en/user-guide/security-mfa-rollout
 [Using programmatic access tokens for authentication]: https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
 [Website]: https://www.snowflake.com/en/
-[Planning for the deprecation of single-factor password sign-ins]: https://docs.snowflake.com/en/user-guide/security-mfa-rollout

 <!-- Others -->
 [Programmatic Access Token (PAT) in Snowflake]: https://medium.com/%40mohitaverma0712/programmatic-access-token-pat-in-snowflake-how-to-use-754c28db8952
--- a/snippets/openssl.sh
+++ b/snippets/openssl.sh
@@ -12,16 +12,18 @@ openssl rand -base64 '18' > 'key.bin'


 ##
-# Private keys
+# Key pairs
 # --------------------------------------
 ##

-# Generate RSA keys
+# Generate (unencrypted) RSA keys
 openssl genrsa -out 'rsa4096.key' '4096'
 openssl genrsa -out 'rsa8192.key' '8192'
+openssl genrsa '2048' | openssl pkcs8 -topk8 -inform 'PEM' -out 'rsa2048.p8' -nocrypt

-# Generate RSA keys encrypted with passphrases based on AES CBC 256
+# Generate encrypted RSA keys
 openssl genrsa -aes256 -out 'rsa4096.withPassphrase.key' '4096'
+openssl genrsa '2048' | openssl pkcs8 -topk8 -v2 'des3' -inform 'PEM' -out 'rsa2048.withPassphrase.p8'

 # Generate ECDSA keys
 # Supported curves: prime256v1, secp384r1, secp521r1, others
@@ -32,6 +34,7 @@ openssl ecparam -list_curves

 # Print out key information
 openssl rsa -in 'rsa.key' -pubout                        # public key
+openssl rsa -in 'rsa_key.p8' -pubout -out 'rsa_key.pub'  # public key
 openssl rsa -in 'rsa.key' -noout -modulus                # modulus

 # Print out key information
@@ -41,6 +44,7 @@ openssl ec -in 'ec.key' -text -noout

 # Check keys and verify their consistency.
 openssl rsa -check -in 'private.key'
+openssl ec -check -in 'private.key'

 # Remove passphrases from keys
 openssl rsa -in 'withPassphrase.key' -out 'plain.key'
@@ -51,6 +55,17 @@ openssl rsa -des3 -in 'plain.key' -out 'withPassphrase.key'
 # Generate Diffie-Hellman params with given lengths (in bits)
 openssl dhparam -out 'dhparams.pem' '2048'

+# Convert private keys to other formats
+openssl pkcs8 -in 'key.pem' -topk8 -out 'encrypted.key.pem'  # traditional to PKCS#8 with default parameters (AES-256 and hmacWithSHA256)
+openssl pkcs8 -in 'key.pem' -topk8 -nocrypt -out 'unencrypted.key.pem'  # traditional to PKCS#8 unencrypted
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'des3' -out 'encrypted.key.pem'  # traditional to PKCS#5 v2.0 with triple DES encryption
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'aes-256-cbc' -v2prf 'hmacWithSHA512' -out 'encrypted.key.pem'  # traditional to PKCS#5 v2.0 with AES-256 and hmacWithSHA256
+openssl pkcs8 -in 'key.pem' -topk8 -v1 'PBE-MD5-DES' -out 'encrypted.key.pem'  # PKCS#5 v1.5 to PKCS#8
+openssl pkcs8 -in 'key.pem' -topk8 -out 'encrypted.key.pem' -v1 'PBE-SHA1-3DES'  # PKCS#12 to PKCS#8
+openssl pkcs8 -inform 'DER' -nocrypt -in 'key.der' -out 'unencrypted.key.pem'  # DER unencrypted to PKCS#8 unencrypted
+openssl pkcs8 -in 'pk8.pem' -traditional -out 'encrypted.key.pem'  # PKCS#8 encrypted to traditional
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'aes-256-cbc' -iter '1000000' -out 'pk8.pem'  # traditional to PKCS#8 with AES-256 and 1M iterations of the password
+

 ##
 # Certificate Signing Requests (CSR)
--- a/snippets/pulumi/commands.fish
+++ b/snippets/pulumi/commands.fish
@@ -39,6 +39,7 @@ pulumi config set --secret 'boincGuiRpcPasswd' 'something-something-darkside'
 pulumi config set --path 'outer.inner' 'value'
 pulumi config set --path 'list[1]' 'value'
 gpg --export 'smth@example.org' | pulumi config set 'smthTeam:pgpKey-public-raw' --type 'string'
+cat "$HOME/.ssh/snowflake.key" | pulumi config set 'snowflake:privateKey' --secret

 # Gitlab provider
 # 'baseUrl' requires the ending slash