Amazon Quick Suite now supports key pair authentication to Snowflake data source

Modern enterprises face significant challenges connecting business intelligence platforms to cloud data warehouses while maintaining automation. Password-based authentication introduces security vulnerabilities, operational friction, and compliance gaps—especially critical as Snowflake is deprecating username password.

Amazon Quick Sight (a capability of Amazon Quick Suite) now supports key pair authentication for Snowflake integrations, using asymmetric cryptography where RSA key pairs replace traditional passwords. This enhancement addresses a critical need as Snowflake moves toward deprecating password-based authentication, which requires more secure authentication methods. With this new capability, Amazon Quick Suite users can establish secure, passwordless connections to Snowflake data sources using RSA key pairs, providing a seamless and secure integration experience that meets enterprise security standards.

In this blog post, we will guide you through establishing data source connectivity between Amazon Quick Sight and Snowflake through secure key pair authentication.

Prerequisites

Before configuring key pair authentication between Amazon Quick Suite and Snowflake, ensure that you have the following:

• An active Amazon Quick Suite account with appropriate permissions – You need administrative access to create and manage data sources, configure authentication settings, and grant permissions to users. Amazon Quick Suite Enterprise license or Author role in Amazon Quick Suite Enterprise Sight Edition typically provide sufficient access.
• A Snowflake account with ACCOUNTADMIN, SECURITYADMIN, or USERADMIN role – These elevated permissions are essential for modifying user accounts, assigning public keys using ALTER USER commands, and granting warehouse and database permissions. If you don’t have access to these roles, contact your Snowflake administrator for assistance.
• OpenSSL installed (for key generation) – This cryptographic toolkit generates RSA key pairs in PKCS#8 format. Most Linux and macOS systems include OpenSSL pre-installed. Windows users can use Windows Subsystem Linux (WSL) or download OpenSSL separately.
• (Optional) AWS Secrets Manager access (for API-based setup) – Required for programmatic configurations, you will need IAM permissions to create and manage secrets, and Amazon Quick Sight API access for automated deployments and infrastructure as code (IaC) implementations.

Solution walkthrough

We will guide you through the following essential steps to establish secure key pair authentication between Amazon Quick Sight and Snowflake:

1. Generate RSA Key Pair – Create public and private keys using OpenSSL with proper encryption standards
2. Configure Snowflake User – Assign the public key to your Snowflake user account and verify the setup
3. Establish Data Source Connectivity – Create your connection through either the Amazon Quick Suite UI for interactive setup or AWS Command Line Interface (AWS CLI) for programmatic deployment

Let’s explore each step in detail and secure your Amazon Quick Sight-Snowflake connection with key pair authentication!

Generate RSA key pair:

1. Navigate to AWS CloudShell in AWS Management Console and execute the following command to generate the RSA private key. You will be prompted to enter an encryption passphrase. Choose a strong passphrase and store it securely—you will need this later when generating the public key.

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

2. Run the following commands to create a public key pair. You will be prompted to enter the phrase that you used in the previous step.

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

3. Extract the private key content (including header and footer):

cat rsa_key.p8

This displays your private key in the format:

-----BEGIN PRIVATE KEY-----[key content]-----END PRIVATE KEY-----

Note: Copy the entire output including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. You will use this complete private key (with headers and footers) when creating your Snowflake data source connection.

4. Snowflake requires the public key in a specific format without headers or line breaks. Run these commands to extract and format the key properly.

grep -v KEY rsa_key.pub | tr -d 'n' | awk '{print $1}' > pub.Key
cat pub.Key

This will display your formatted public key string. Copy this output—you will use it in the next step to configure your Snowflake user account.

Assign public key to Snowflake user:

1. Log in to Snowflake and execute the following SQL commands to assign the public key to your user:

ALTER USER <username> SET RSA_PUBLIC_KEY='<public_key_content>';

2. Verify the key assignment: Look for the RSA_PUBLIC_KEY property to confirm if the public key is set.

DESCRIBE USER <username>;

Establish your Snowflake connection in Amazon Quick Suite UI:

3. Navigate to Amazon Quick Suite in AWS Management Console and select Datasets. Then select the Data sources tab and choose Create data source.

4. In the Create data source pane, enter “snowflake” in Search datasets, select Snowflake, and then choose Next.

5. In the New Snowflake data source pane, enter the data source name, then enter the connection type as Public Network or a Private VPC Connection. If you need a VPC connection, see configure the VPC connection in Quick Suite.
6. Then, enter the database server hostname, database name, and warehouse name.
7. Select Authentication Type as KeyPair and then enter the username of the Snowflake user.
8. In the Private Key field, paste the complete output from cat rsa_key.p8 (including the BEGIN and END headers). If you have configured a passphrase during key generation, provide it in the optional Passphrase field.
9. After all the fields are entered, select the Validate connection button.

10. After the connection is validated, select the Create data source button.
11. Then in the Data sources list, find the snowflake data source that you created.
12. From the Action menu, select the Create dataset option.

Establish your Snowflake Connection using the Amazon Quick Sight API:

Using AWS CLI, create the Amazon Quick Suite data source connection to Snowflake by executing the following command:

aws quicksight create-data-source 
  --aws-account-id 123456789 
  --data-source-id awsclikeypairtest 
  --name "awsclikeypairtest" 
  --type SNOWFLAKE 
  --data-source-parameters '{
    "SnowflakeParameters": {
      "Host": "hostname.snowflakecomputing.com",
      "Database": "DB_NAME",
      "Warehouse": "WH_NAME",
      "AuthenticationType": "KEYPAIR"
    }
  }' 
  --credentials '{
    "KeyPairCredentials": {
      "KeyPairUsername": "SNOWFLAKE_USERNAME",
      "PrivateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----nPRIVATE_KEYn-----END ENCRYPTED PRIVATE KEY-----",
      "PrivateKeyPassphrase": "******"
    }
  }' 
    --permissions '[
    {
      "Principal": "arn:aws:quicksight:us-east-1: 123456789:user/default/Admin/username,
      "Actions": [
        "quicksight:DescribeDataSource",
        "quicksight:DescribeDataSourcePermissions",
        "quicksight:PassDataSource",
        "quicksight:UpdateDataSource",
        "quicksight:DeleteDataSource",
        "quicksight:UpdateDataSourcePermissions"
      ]
    }
  ]' 
  --region us-east-1

Use the following command to check the status of creation:

aws quicksight describe-data-source --region us-east-1 --aws-account-id 123456789 --data-source-id awsclikeypairtest

Initially, the status returned from the describe-data-source command will be CREATION_IN_PROGRESS. The status will change to CREATION_SUCCESSFUL if the new data source is ready for use.

Alternatively, when creating the data source programmatically via CreateDataSource, you can store the username, key and passphrase in AWS Secrets Manager and reference them using the Secret ARN.

After the data source is successfully created, you can navigate to the Quick Suite console. In the Create a Dataset page, you can view the newly created data source connection awsclikeypairtest under the data sources list. You can then continue to create the datasets.

Cleanup

To clean up your resources to avoid incurring additional charges, follow these steps:

1. Delete the secret created in the AWS Secrets Manager Console.
2. Delete the data source connection created in Amazon Quick Suite.

Conclusion

Key pair authentication represents a transformative advancement in securing data connectivity between Amazon Quick Suite and Snowflake. By removing password-based vulnerabilities and embracing cryptographic authentication, organizations can achieve superior security posture while maintaining seamless automated workflows. This implementation addresses critical enterprise requirements, such as enhanced security through asymmetric encryption, streamlined service account management, and compliance with evolving authentication standards as Snowflake transitions away from traditional password methods.

Whether deploying through the intuitive Amazon Quick Suite UI or using AWS CLI for Infrastructure as Code implementations, key pair authentication provides flexibility without compromising security. The integration with AWS Secrets Manager helps protect the private keys, while the straightforward setup process enables rapid deployment across development, staging, and production environments.

As data security continues to evolve, adopting key pair authentication positions your organization at the forefront of best practices. Business intelligence teams can now focus on extracting actionable insights from Snowflake data rather than managing authentication complexities, ultimately accelerating time-to-insight and improving operational efficiency.

For further reading, see Snowflake Key-Pair Authentication.

About the authors