🔑Updating Service User Authentication to Keypair

Overview

To comply with Snowflake’s authentication policy, all service users (e.g., dbt_user, bi_user, application_user) must switch to Keypair Authentication by April 1, 2025.

Yuki now fully supports this authentication method in our proxy. To ensure uninterrupted service, all customers must update their authentication settings in both Snowflake and Yuki.

Follow Snowflake guide to configure Keypair Authentication.

Step 2: Update Keypair Authentication in Yuki

Once you have updated the authentication method in Snowflake, follow the steps based on your proxy setup.

For Fully Hosted Proxy Customers

If you are using Yuki’s Fully Hosted Proxy, update the authentication settings in Yuki UI.

  1. Log in to Yuki UI.

  2. Navigate to the Security page.

  3. Locate the "Key Pair Authentication" section.

  4. For each service user, provide:

    • Username (e.g., dbt_user, bi_user).

    • Private Key (copy the content of private_key.pem).

    • Passphrase (if used during key creation).

  5. Click Add Authentication.

The key will be securely stored in AWS Secret Manager, ensuring seamless authentication and session management as before.

For Self-Hosted Proxy Customers

If you are using a Self-Hosted Proxy, additional steps are required to update Terraform, Yuki Proxy, and AWS Secret Manager.

2.1 Update Terraform Module

Ensure your Terraform module is up to date.

2.2 Store Authentication Keys in AWS Secret Manager

Ensure the secret is stored in JSON format as shown below:

{
  "<pk-key>": "----BEGIN ENCRYPTED PRIVATE KEY---\r\n....\r\n-----END ENCRYPTED PRIVATE KEY-----",
  "<passphrase-key>": "your_passphrase"
}

  • <pk-key>: The attribute name for the private key (e.g., "private_key").

  • <passphrase-key>: if used during key generation (e.g., "pk_passphrase")..

Additional attributes can be included if needed, as long as the structure remains JSON-formatted.

2.3 Add Required Tags to AWS Secrets Manager

In AWS Secret Manager, add a tag for the stored secret:

shared_secrets_tag = {
  key = "<secret-key>"
  value = "<secret-tag-value>"
}

  • Example:

    key = "access"
value = "yuki-proxy"

This ensures that the Yuki Proxy can securely retrieve the authentication keys.

Step 3: Configure Authentication in Yuki UI (Self-Hosted Proxy)

After updating your AWS Secret Manager, configure authentication settings in Yuki UI.

  1. Log in to Yuki UI.

  2. Navigate to the Security page.

  3. Locate the "Key Pair Authentication" section.

  4. For each service user, provide:

    • Username (e.g., dbt_user, bi_user).

    • AWS SSM Secret Name (where your authentication keys are stored).

    • Private Key Property (e.g., private_key).

    • Passphrase Property (if applicable, e.g., pk_passphrase).

  5. Click Add Authentication.

The system will now securely retrieve the keypair from AWS Secret Manager for authentication.

By completing these steps, you ensure a seamless transition to Keypair Authentication and uninterrupted access to your Snowflake services. 🚀

PreviousConfiguring SSL Certificates for a Secure Proxy Service

Last updated