Grant Yuki Proxy Access to Snowflake Key Pairs Stored in Your AWS

Scope: Customer-only actions. This guide shows how to let the Yuki proxy (in Yuki’s AWS) read Snowflake key material you store in your AWS accountwithout adding any KMS configuration. Access is granted only through a cross-account IAM AssumeRole with least privilege.

Placeholders: Use 000000000000 for Yuki’s AWS account ID (Yuki Support will provide the real value). Use your own values for ARNs, bucket names, and object keys.

Overview

  • You keep the Snowflake private key material in your AWS Secrets Manager.

  • You create an IAM role in your account that Yuki assumes.

  • That role gets read-only permission to only the specific secret/object that holds the key.

  • You share the Role ARN (and secret/object identifiers) with Yuki Support.

  • Yuki assumes the role and reads the key when establishing Snowflake sessions for systems such as BI or dbt, etc.

Prerequisites

  • You know where the key is stored:

    • Secrets Manager: A single secret that contains the Snowflake private key (e.g., /yuki/snowflake/prod/dbt/dbt_user/private_key_pkcs8).

  • Permissions in your AWS account to create IAM roles and attach inline policies.

  • An ExternalId string from Yuki Support (used in the trust policy).

  • Each secret must include the private key and the passphrase as a JSON:

{
  "UserPrivateKey": "-----BEGIN .... KEY-----",
  "PrivateKeyPassphrase": "xxx"
}

-- You can choose your own attributes key name ("UserPrivateKey", "PrivateKeyPassphrase")

Step 1 — Create the Cross-Account Role (Trust Policy)

Create an IAM role (e.g., YukiProxyReadKeysRole) that Yuki can assume.

Trust policy (replace 000000000000 with the Yuki AWS account ID; set <EXTERNAL_ID>):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::000000000000:root" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
      }
    }
  ]
}

Step 2 — Attach Read-Only Permissions (Choose A or B)

Grant the role permission only to the specific resource that contains the key.

Inline permissions policy (replace region/account/secret name):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSpecificSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:secretsmanager:<region>:<your-account-id>:secret:<yur-secret>"
    }
  ]
}

Step 3 — Share Details with Yuki Support

Provide:

  • Role ARN: arn:aws:iam::<your-account-id>:role/YukiProxyReadKeysRole

  • ExternalId you used in the trust policy

  • Secret ARN

Step 4 — Validate

  • Confirm the role exists and policies are attached.

  • Yuki will call sts:AssumeRole using the ExternalId and read the configured secret/object.

  • Run a simple Snowflake connection test from Yuki (Yuki Support will confirm).

PreviousConnect Yuki to Snowflake (Business Critical) via AWS PrivateLink

Last updated