> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackone.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Snowflake with Key Pair (Refreshable) – StackOne Hub

> Link a Snowflake account in the StackOne Hub using Key Pair (Refreshable). End-user guide to authorize the integration and start using Snowflake actions.

<Warning>ACCOUNTADMIN or equivalent privileges are required to assign a public key to a Snowflake user. The connector mints and rotates JWTs automatically every hour from the supplied private key.</Warning>

<section data-guide-section data-guide-scopes="">
  <h2>How key pair authentication works</h2>

  <p>Key pair authentication is asymmetric — you generate the RSA key pair yourself, register the public key on your Snowflake user, and provide the private key to StackOne. StackOne signs and rotates short-lived JWTs from the private key automatically, so you never generate or paste a token.</p>

  <ul>
    <li><strong>Private key</strong> (`rsa_key.p8`) — generated locally with OpenSSL. StackOne uses it server-side to sign JWTs and never logs or returns it. If you lose it, it cannot be recovered from Snowflake or the public key, so generate a new key pair and re-register the public key.</li>
    <li><strong>Public key</strong> (`rsa_key.pub`) — registered on your Snowflake user via `ALTER USER`. Snowflake uses it to verify the JWTs StackOne signs.</li>
  </ul>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Find Your Account Identifier</h2>

  <p>Your <strong>Account Identifier</strong> uniquely identifies your Snowflake account and routes API requests to it.</p>

  <Steps>
    <Step title="Open account details in Snowsight">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Sign in to your <a href="https://app.snowflake.com" target="_blank" rel="noopener noreferrer">Snowflake account</a> and click your <strong>user profile</strong> (showing your username and role) in the bottom-left corner of the sidebar.</p>

        <ul>
          <li>In the menu that opens, click your account entry (e.g., <strong>Account: AB12345</strong>) to expand the account submenu.</li>
          <li>Select <strong>View account details</strong>.</li>
          <li>Copy the <strong>Account Identifier</strong> shown in the dialog.</li>
          <li>Format: `orgname-accountname` (e.g., `myorg-account123`)</li>
          <li>Alternative — run `SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();` in any worksheet</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Find your username</h2>

  <p>Your <strong>Username</strong> is the Snowflake user the public key will be assigned to. API requests run as this user.</p>

  <ul>
    <li>Run `SELECT CURRENT_USER();` in any worksheet to see the user you are signed in as</li>
    <li>Or navigate to <strong>Governance & security</strong> > <strong>Users & roles</strong> in Snowsight to pick a dedicated service user.</li>
    <li>Casing does not matter — the connector uppercases the username automatically.</li>
  </ul>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Generate an RSA key pair</h2>

  <p>Snowflake key-pair authentication uses a 2048-bit RSA key pair that you generate yourself with OpenSSL. Run these commands in your terminal.</p>

  <Steps>
    <Step title="Generate the private key">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Run the following command to generate an unencrypted private key in PKCS8 format.</p>

        ```bash theme={null}
        openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
        ```

        <ul>
          <li>This creates `rsa_key.p8` — the value for the <strong>RSA Private Key (PKCS8 PEM)</strong> field. Paste its entire contents, including the BEGIN and END marker lines.</li>
          <li>Caution: keep `rsa_key.p8` secure — it is your private key and must never be shared.</li>
          <li>The connector mints and refreshes short-lived JWTs from this key automatically — you never generate or paste a token yourself.</li>
        </ul>
      </div>
    </Step>

    <Step title="Derive the public key">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Run the following command to extract the public key from the private key.</p>

        ```bash theme={null}
        openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
        ```

        <ul>
          <li>This creates `rsa_key.pub`, which you will assign to your Snowflake user in the next section.</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<section data-guide-section data-guide-scopes="">
  <h2>Assign the public key to your Snowflake user</h2>

  <p>Snowflake verifies the JWTs minted from your private key against the public key registered on your user.</p>

  <Steps>
    <Step title="Copy the public key body">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Open `rsa_key.pub` and copy the content between (but not including) the `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` lines.</p>
      </div>
    </Step>

    <Step title="Assign the key to your user">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>In a Snowflake worksheet, switch to a role with permission to alter the user, then run the ALTER USER statement, replacing `<username>` with your <strong>Username</strong> and `<public_key_body>` with the value you copied.</p>

        ```sql theme={null}
        USE ROLE ACCOUNTADMIN;
        ALTER USER <username> SET RSA_PUBLIC_KEY='<public_key_body>';
        ```

        <ul>
          <li>The key body is the long base64 block from `rsa_key.pub`, pasted as a single quoted string (line breaks within it are allowed).</li>
        </ul>
      </div>
    </Step>

    <Step title="Verify the key assignment">
      <div data-guide-step data-guide-scopes="" data-guide-display-scopes-list="">
        <p>Confirm the public key is registered on the user before connecting.</p>

        ```sql theme={null}
        DESC USER <username>;
        ```

        <ul>
          <li>Check that the `RSA_PUBLIC_KEY_FP` property now shows a `SHA256:...` fingerprint value.</li>
        </ul>
      </div>
    </Step>
  </Steps>
</section>

<div data-whitelabel-hide>
  <h2>Linking the Account from the Hub</h2>

  <Steps>
    <Step title="Navigate to the Hub">
      Use one of the three <a href="/guides/accounts-section#linking-accounts">Linking Account Methods</a> to access the Hub.
    </Step>

    <Step title="Fill out the fields">
      Fill out the following fields using details from your provider:

      <ul>
        <li><strong>Account Identifier</strong></li>
        <li><strong>Username</strong></li>
        <li><strong>RSA Private Key (PKCS8 PEM)</strong></li>
      </ul>
    </Step>

    <Step title="Connect">
      <ul>
        <li>Click <strong>Connect</strong></li>
        <li>If applicable, the provider will redirect you to a sign-in or authorization page. Complete the provider's authorization flow.</li>
        <li>Once authorization is successful, you will see a confirmation popup</li>
      </ul>
    </Step>
  </Steps>

  <p>If the account linking is successful, you will see the newly linked account in your <a href="/guides/accounts-section">Accounts</a> page.</p>
</div>
