Snowflake

Deprecation of password authentication

Snowflake has issued a deprecation notice for single-factor password authentication. Rill supports and recommends using private key authentication to avoid any disruption of your service.

Overview

Snowflake is a cloud-based data platform designed to facilitate data warehousing, data lakes, data engineering, data science, data application development, and data sharing. It separates compute and storage, enabling users to scale up or down instantly without downtime, providing a cost-effective solution for data management. With its unique architecture and support for multi-cloud environments, including AWS, Azure, and Google Cloud Platform, Snowflake offers seamless data integration, secure data sharing across organizations, and real-time access to data insights, making it a common choice to power many business intelligence applications and use cases. Rill supports natively connecting to and reading from Snowflake as a source using the Go Snowflake Driver.

Local credentials

When using Rill Developer on your local machine (i.e., rill start), Rill will use the credentials passed via the Snowflake connection string in one of several ways:

As defined in the Connector YAML configuration directly via the dsn property or distinct parameters
As defined in the optional Snowflake Connection String field within the UI source creation workflow (this is equivalent to setting the dsn property in the underlying source YAML file)

Beware of committing credentials to Git

Outside of local development, it is generally not recommended to specify or save the credentials directly in the dsn of your source YAML file, as this information can potentially be committed to Git!

Rill uses the following syntax when defining a connection string using a private key:

<username>@<account_identifier>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator=SNOWFLAKE_JWT&privateKey=<privateKey_url_safe>

See the full documentation to set up private key authentication.

Finding the Snowflake account identifier

To determine your Snowflake account identifier, one easy way is to check your Snowflake account URL. The account identifier to use in your connection string should be everything before .snowflakecomputing.com!

Separating Dev and Prod Environments

When ingesting data locally, consider setting parameters in your connector file to limit how much data is retrieved, since costs can scale with the data source. This also helps other developers clone the project and iterate quickly by reducing ingestion time.

For more details, see our Dev/Prod setup docs.

Cloud deployment

When deploying a project to Rill Cloud (i.e., rill deploy), Rill requires credentials to be passed via the Snowflake connection string as a source configuration dsn field or by passing/updating the credentials used by Rill Cloud directly by running:

rill env configure

Did you know?

If you've already configured credentials locally (in your <RILL_PROJECT_DIRECTORY>/.env file), you can use rill env push to push these credentials to your Rill Cloud project. This will allow other users to retrieve and reuse the same credentials automatically by running rill env pull.

Appendix

Using keypair authentication

Rill supports using keypair authentication for enhanced security when connecting to Snowflake,as an alternative to password-based authentication, which Snowflake has deprecated. Per the Snowflake Go Driver specifications, this requires the following changes to the dsn:

Remove the password
Add authenticator=SNOWFLAKE_JWT
Add privateKey=<privateKey_url_safe>

<username>@<account_identifier>/<database>/<schema>?warehouse=<warehouse>&role=<role>&authenticator=SNOWFLAKE_JWT&privateKey=<privateKey_url_safe>

Generate a private key

Please refer to the Snowflake documentation on how to configure an unencrypted private key to use in Rill.

The Snowflake Go Driver only supports unencrypted PKCS#8 keys. Make sure to include the -nocrypt flag, as encrypted keys are not supported. You can generate one using:

# Generate a 2048-bit unencrypted PKCS#8 private key
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

Convert the private key to a URL-safe format for the DSN

After generating the private key, you need to convert it into a URL-safe Base64 format for use in the Snowflake DSN. Run the following command:

# Convert URL safe format for DSN
cat rsa_key.p8 | grep -v "\----" | tr -d '\n' | tr '+/' '-_'

Note: When copying the output, do not include the trailing % character that may appear in your terminal.

Check your OS version

Depending on your OS version, above commands may differ slightly. Please check your OS reference manual for the correct syntax.

Best Practices

If using keypair authentication, consider rotating your public key regularly to ensure compliance with security and governance best practices.

Overview​

Local credentials​

Separating Dev and Prod Environments​

Cloud deployment​

Appendix​

Using keypair authentication​

Generate a private key​

Convert the private key to a URL-safe format for the DSN​