Skip to main content
ACCOUNTADMIN or equivalent privileges are required to assign a public key to a Snowflake user. The connector mints and rotates JWTs automatically every hour from the supplied private key.

How key pair authentication works

Key pair authentication is asymmetric — you generate the RSA key pair yourself, register the public key on your Snowflake user, and provide the private key to StackOne. StackOne signs and rotates short-lived JWTs from the private key automatically, so you never generate or paste a token.

  • Private key (rsa_key.p8) — generated locally with OpenSSL. StackOne uses it server-side to sign JWTs and never logs or returns it. If you lose it, it cannot be recovered from Snowflake or the public key, so generate a new key pair and re-register the public key.
  • Public key (rsa_key.pub) — registered on your Snowflake user via ALTER USER. Snowflake uses it to verify the JWTs StackOne signs.

Find Your Account Identifier

Your Account Identifier uniquely identifies your Snowflake account and routes API requests to it.

1

Open account details in Snowsight

Sign in to your Snowflake account and click your user profile (showing your username and role) in the bottom-left corner of the sidebar.

  • In the menu that opens, click your account entry (e.g., Account: AB12345) to expand the account submenu.
  • Select View account details.
  • Copy the Account Identifier shown in the dialog.
  • Format: orgname-accountname (e.g., myorg-account123)
  • Alternative — run SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME(); in any worksheet

Find your username

Your Username is the Snowflake user the public key will be assigned to. API requests run as this user.

  • Run SELECT CURRENT_USER(); in any worksheet to see the user you are signed in as
  • Or navigate to Governance & security > Users & roles in Snowsight to pick a dedicated service user.
  • Casing does not matter — the connector uppercases the username automatically.

Generate an RSA key pair

Snowflake key-pair authentication uses a 2048-bit RSA key pair that you generate yourself with OpenSSL. Run these commands in your terminal.

1

Generate the private key

Run the following command to generate an unencrypted private key in PKCS8 format.

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
  • This creates rsa_key.p8 — the value for the RSA Private Key (PKCS8 PEM) field. Paste its entire contents, including the BEGIN and END marker lines.
  • Caution: keep rsa_key.p8 secure — it is your private key and must never be shared.
  • The connector mints and refreshes short-lived JWTs from this key automatically — you never generate or paste a token yourself.
2

Derive the public key

Run the following command to extract the public key from the private key.

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
  • This creates rsa_key.pub, which you will assign to your Snowflake user in the next section.

Assign the public key to your Snowflake user

Snowflake verifies the JWTs minted from your private key against the public key registered on your user.

1

Copy the public key body

Open rsa_key.pub and copy the content between (but not including) the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.

2

Assign the key to your user

In a Snowflake worksheet, switch to a role with permission to alter the user, then run the ALTER USER statement, replacing <username> with your Username and <public_key_body> with the value you copied.

USE ROLE ACCOUNTADMIN;
ALTER USER <username> SET RSA_PUBLIC_KEY='<public_key_body>';
  • The key body is the long base64 block from rsa_key.pub, pasted as a single quoted string (line breaks within it are allowed).
3

Verify the key assignment

Confirm the public key is registered on the user before connecting.

DESC USER <username>;
  • Check that the RSA_PUBLIC_KEY_FP property now shows a SHA256:... fingerprint value.

Linking the Account from the Hub

1

Navigate to the Hub

Use one of the three Linking Account Methods to access the Hub.
2

Fill out the fields

Fill out the following fields using details from your provider:
  • Account Identifier
  • Username
  • RSA Private Key (PKCS8 PEM)
3

Connect

  • Click Connect
  • If applicable, the provider will redirect you to a sign-in or authorization page. Complete the provider’s authorization flow.
  • Once authorization is successful, you will see a confirmation popup

If the account linking is successful, you will see the newly linked account in your Accounts page.