Updating Service User Authentication to Keypair

Overview

To comply with Snowflake’s authentication policy, all service users (e.g., dbt_user, bi_user, application_user) must switch to Keypair Authentication by April 1, 2025.

Yuki fully supports this authentication method in our proxy. To ensure uninterrupted service, you must update authentication settings in both Snowflake and Yuki.

You can either:

  • Upload the private key directly in the Yuki UI, or

  • Store it securely in AWS Secrets Manager and let Yuki reference it.

First, follow Snowflake’s official guide to configure Keypair Authentication in Snowflake.

Option 1 - Upload the Key to Yuki

Use this option if you want to paste the private key directly into Yuki.

  1. Log in to the Yuki UI.

  2. Go to the Security page.

  3. Locate the Keypair Authentication section.

For each service user, provide:

  1. Username (e.g., dbt_user)

  2. Private Key (paste content of private_key.pem)

  3. Passphrase (if used during key creation)

  4. Click Add Authentication.

Yuki will securely store the key in AWS Secrets Manager on your behalf.

Option 2 - Reference Key from AWS Secrets Manager

Use this option if you already store your Snowflake keys in AWS Secrets Manager and want Yuki to fetch them securely.

How It Works

  • The Snowflake private key remains in AWS Secrets Manager.

  • A cross-account IAM role is created with read-only access to the specific secret.

  • Yuki assumes this role (optionally with an ExternalId for additional security), and retrieves the key when establishing Snowflake sessions.

Prerequisites

  • The private key is stored in AWS Secrets Manager.

  • You have permissions in AWS to create IAM roles and policies.

Secret JSON format example:

{
  "UserPrivateKey": "-----BEGIN ... KEY-----",
  "PrivateKeyPassphrase": "xxx"
}

(Attribute names may be customized, e.g., UserPrivateKey, PrivateKeyPassphrase.)

Step 1 - Create IAM Role (Trust Policy)

Create an IAM role (e.g., YukiProxyReadKeysRole) with the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:sts::406122784773:assumed-role/yuki-proxy-secret-access-role/external-secrets-provider-aws" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
      }
    }
  ]
}

Replace:

  • <EXTERNAL_ID> → (optional – if you don’t use ExternalId, omit the entire Condition block).

Step 2 - Attach Permissions

Attach a permissions policy to allow access only to the specific secret (by ARN or by tag).

Option A - Resource by ARN

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSpecificSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:secretsmanager:<region>:<your-account-id>:secret:<your-secret>"
    }
  ]
}

Option B - Resource by Tag

Instead of listing specific ARNs, permissions can be scoped using tags. For example, to allow Yuki Proxy to access only secrets tagged with access=yuki-proxy:

1. Add a tag to the secret in AWS Secrets Manager:

shared_secrets_tag = {
  key = "access"
  value = "yuki-proxy"
}

2. Update the IAM permissions policy to allow access by tag:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSecretsByTag",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": { "aws:ResourceTag/access": "yuki-proxy" }
      }
    }
  ]
}

This ensures that Yuki can only access secrets that are explicitly tagged for proxy access.

Step 3 - Share Details with Yuki

Provide Yuki Support with:

  • Role ARN (e.g., arn:aws:iam::<your-account-id>:role/YukiProxyReadKeysRole)

  • ExternalId used in the trust policy

Step 4 - Configure in Yuki UI

  1. Log in to the Yuki UI.

  2. Navigate to Security → Keypair Authentication.

  3. Enable Self-Stored Key

Enter the following:

  1. Username (e.g., dbt_user)

  2. AWS Secret Name (where the keypair is stored)

  3. Private Key Property (e.g., UserPrivateKey)

  4. Passphrase Property (e.g., PrivateKeyPassphrase)

  5. Click Add Authentication.

Yuki will securely fetch the key from AWS Secrets Manager at runtime.

Final Note

Completing either Option 1 (Direct Upload) or Option 2 (AWS Secrets Manager) ensures a seamless transition to Keypair Authentication and uninterrupted access to Snowflake services. 🚀

PreviousUninstalling Yuki and Cleaning Up ResourcesNextConnect Yuki to Snowflake (Business Critical) via AWS PrivateLink

Last updated