Skip to content

Add optional RSA key authentication and token regeneration support for Snowflake#159

Merged
dewey merged 2 commits intojustwatchcom:masterfrom
brunobrn:feature/snowflake-rsa-support
Jun 16, 2025
Merged

Add optional RSA key authentication and token regeneration support for Snowflake#159
dewey merged 2 commits intojustwatchcom:masterfrom
brunobrn:feature/snowflake-rsa-support

Conversation

@brunobrn
Copy link
Contributor

@brunobrn brunobrn commented May 20, 2025

Summary

This PR introduces optional support for Snowflake JWT authentication using RSA private keys, in addition to the existing password-based approach. It also implements automatic token regeneration to support long-lived or spaced query executions.

These enhancements maintain backward compatibility with existing configurations and require no changes for current users using password authentication.

Key Changes

🔐 RSA Private Key Authentication (JWT)

  • Adds support for reading PEM-encoded RSA private keys via the private_key_file URL query parameter.
  • Builds a gosnowflake.Config with AuthTypeJwt using the RSA key.
  • Allows users to securely authenticate with Snowflake using best practices recommended by Snowflake.

Usage Example:

connections:
  - "snowflake://user@account?private_key_file=/key/mykey.pem&role=SYSADMIN"

🔁 Automatic JWT Token Regeneration

  • Tracks token expiration time and automatically regenerates the connection/token before each job run if expired (default: every 1 hour).

  • Enables safe execution of scheduled jobs with long intervals (e.g., 1h, 6h+) without risk of token expiry.

Why This Matters

  • Security: RSA keys provide stronger, more secure authentication than passwords.

  • Reliability: Spaced jobs won't fail due to token expiry — ideal for Prometheus scraping Snowflake at longer intervals.

  • Flexibility: Auth method is automatically inferred based on the presence of private_key_file in the connection string.

Compatibility

✅ Fully backward compatible.
If private_key_file is not present, the connection will use the default password method as before.

Related Files Modified

  • job.go: Dual-mode auth logic (RSA vs. password), token tracking.

  • config.go: Adds optional snowflakeDSN and tokenExpirationTime to connection struct.

@brunobrn brunobrn mentioned this pull request May 20, 2025
Closed
@brunobrn
Copy link
Contributor Author

brunobrn commented Jun 12, 2025

Hello guys!
It's possible to check this PR to see if the idea just worth the effort?

In November, we will no longer be able to log in to snowflake using password anymore.

@dewey
Copy link
Member

dewey commented Jun 12, 2025

Hey, I'm assuming you already have this running in production and tested that? I don't have a way to test this myself at the moment.

dewey
dewey reviewed Jun 12, 2025
View reviewed changes
@brunobrn
Copy link
Contributor Author

brunobrn commented Jun 12, 2025

Hey, I'm assuming you already have this running in production and tested that? I don't have a way to test this myself at the moment.

Yes, we are already using this branch in our staging environment for two weeks with 19 snowflake accounts connected to it, zero problems and errors so far.

@dewey
Copy link
Member

dewey commented Jun 16, 2025

Thank you for this addition, I don't have a way to verify it myself but as you said you are using it and the code seems fine I'm going to merge it.

@dewey dewey merged commit 19a20bb into justwatchcom:master Jun 16, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dewey dewey dewey left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brunobrn @dewey