SNOWFLAKE_PRIVATE_KEY / --private-key (PEM string in env/flag) does not work: PEM must be deserialized to DER bytes before passing to connector

### Problem

The MCP server supports authentication/connection via:
- `--private-key` CLI flag
- `SNOWFLAKE_PRIVATE_KEY` environment variable

**Documentation and CLI args suggest you can pass the PEM text (i.e. the output of `cat mykey.p8`).**

However, tracing the usage in the code reveals that:
- The raw PEM string (i.e. `-----BEGIN PRIVATE KEY-----...`) is passed straight into the `private_key` parameter of `snowflake.connector.connect()`
- The Snowflake connector does NOT accept PEM strings here. It expects DER-encoded bytes (or an in-memory key object)
- Result: any attempt to use `SNOWFLAKE_PRIVATE_KEY` or `--private-key` (PEM string) fails with:
  > Failed to load private key: Could not deserialize key data. Please provide a valid unencrypted rsa private key in DER format as bytes object

**This is a code bug:**
- There is currently NO code in MCP that deserializes the PEM content before passing to the connector
- So the `--private-key` and `SNOWFLAKE_PRIVATE_KEY` features are effectively nonfunctional

### Steps to reproduce
1. Place your PEM key in the env:
   ```bash
   export SNOWFLAKE_PRIVATE_KEY="$(cat mykey.p8)"
   ```
2. Run MCP with key pair auth using the above
3. Observe error

### Expected
- Setting `SNOWFLAKE_PRIVATE_KEY` to PEM content should "just work" as documented/expected
- Server should deserialize the PEM to DER bytes before passing to connector
- (Bonus) Deserializing to in-memory key object would also enable auto-re-auth (fix token expiry)

### Actual
- Server passes raw PEM text to `connect()` → connector fails with `Could not deserialize key data` error
- Only `--private-key-file`/`SNOWFLAKE_PRIVATE_KEY_FILE` works, but does not support seamless session re-authentication

### Impact
- Key pair authentication via env-only and Docker secrets is essentially broken
- Documentation and flags are misleading and do not work as advertised
- Related: auto-re-authentication for token expiry (#176) is impossible, since only DER bytes/in-memory key would enable it

### References
- [Snowflake Python Connector: private_key format docs](https://docs.snowflake.com/en/user-guide/python-connector-example#using-key-pair-authentication)
- Related issue (token expiry bug): https://github.com/Snowflake-Labs/mcp/issues/176

---

**Please fix the code to support PEM private key in env / CLI, converting it to DER or key object as required by the connector.**



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SNOWFLAKE_PRIVATE_KEY / --private-key (PEM string in env/flag) does not work: PEM must be deserialized to DER bytes before passing to connector #177

Problem

Steps to reproduce

Expected

Actual

Impact

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SNOWFLAKE_PRIVATE_KEY / --private-key (PEM string in env/flag) does not work: PEM must be deserialized to DER bytes before passing to connector #177

Description

Problem

Steps to reproduce

Expected

Actual

Impact

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions