Service User Authentication

Overview

Yuki requires all Snowflake service users (such as dbt_user, bi_user, or application_user) to authenticate using Key Pair Authentication in alignment with Snowflake’s latest security policies. To ensure uninterrupted service, you’ll need to configure key pair authentication in both Snowflake and Yuki.

Yuki fully supports this method natively in the Proxy. You can choose one of two integration options:

  1. Upload the private key directly into Yuki (Yuki stores it securely in AWS Secrets Manager for you), or

  2. Reference an existing key already stored in your own AWS Secrets Manager.

Before starting, make sure you’ve followed Snowflake’s official Key Pair Authentication setup guide.

Option 1 - Upload the Key to Yuki

Use this option if you prefer Yuki to manage key storage securely on your behalf.

For each service user, provide:

  • Username: (e.g., dbt_user)

  • Private Key: paste contents of private_key.pem

  • Passphrase: if used during key creation

Click Add Authentication. Yuki will automatically encrypt and store the key in AWS Secrets Manager.

Option 2 - Reference Key from AWS Secrets Manager

Use this option if you already store your Snowflake keys in AWS Secrets Manager and want Yuki to fetch them securely.

How It Works

  • The Snowflake private key remains in AWS Secrets Manager.

  • A cross-account IAM role is created with read-only access to the specific secret.

  • Yuki assumes this role (optionally with an ExternalId for additional security), and retrieves the key when establishing Snowflake sessions.

Prerequisites

  • The private key is stored in AWS Secrets Manager.

  • You have permissions in AWS to create IAM roles and policies.

Secret JSON format example:

{
  "UserPrivateKey": "-----BEGIN ... KEY-----",
  "PrivateKeyPassphrase": "xxx"
}

(Attribute names may be customized, e.g., UserPrivateKey, PrivateKeyPassphrase.)

Step 1 - Create IAM Role (Trust Policy)

Create an IAM role (e.g., YukiProxyReadKeysRole) with the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:sts::406122784773:assumed-role/yuki-proxy-secret-access-role/external-secrets-provider-aws" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
      }
    }
  ]
}

Replace:

  • <EXTERNAL_ID> → (optional – if you don’t use ExternalId, omit the entire Condition block).

Step 2 - Attach Permissions

Attach a permissions policy to allow access only to the specific secret (by ARN or by tag).

Option A - Resource by ARN

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSpecificSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:secretsmanager:<region>:<your-account-id>:secret:<your-secret>"
    }
  ]
}

Option B - Resource by Tag

Instead of listing specific ARNs, permissions can be scoped using tags. For example, to allow Yuki Proxy to access only secrets tagged with access=yuki-proxy:

1. Add a tag to the secret in AWS Secrets Manager:

shared_secrets_tag = {
  key = "access"
  value = "yuki-proxy"
}

2. Update the IAM permissions policy to allow access by tag:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSecretsByTag",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": { "aws:ResourceTag/access": "yuki-proxy" }
      }
    }
  ]
}

This ensures that Yuki can only access secrets that are explicitly tagged for proxy access.

Step 3 - Share Details with Yuki

Provide Yuki Support with:

  • Role ARN (e.g., arn:aws:iam::<your-account-id>:role/YukiProxyReadKeysRole)

  • ExternalId used in the trust policy

Step 4 - Configure in Yuki UI

Enter the following fields:

  • Username (e.g. dbt_user)

  • AWS Secret Name (the secret containing the keypair)

  • Private Key Property (e.g. UserPrivateKey)

  • Passphrase Property (e.g. PrivateKeyPassphrase)

Click Add Authentication. Yuki will securely fetch the key from AWS Secrets Manager when creating Snowflake sessions.

Next Steps

If your Snowflake account enforces Network Policies, proceed to configure allowed IPs: → Add User-Allowed IPs

If not, you can safely skip this step and continue to: → Enable Warehouses

PreviousConfigure SecurityNextAdd User-Allowed IPs

Last updated