Updating Service User Authentication to Keypair
Overview
To comply with Snowflake’s authentication policy, all service users (e.g., dbt_user
, bi_user
, application_user
) must switch to Keypair Authentication by April 1, 2025.
Yuki fully supports this authentication method in our proxy. To ensure uninterrupted service, you must update authentication settings in both Snowflake and Yuki.
You can either:
Upload the private key directly in the Yuki UI, or
Store it securely in AWS Secrets Manager and let Yuki reference it.
First, follow Snowflake’s official guide to configure Keypair Authentication in Snowflake.
Option 1 - Upload the Key to Yuki
Use this option if you want to paste the private key directly into Yuki.
Log in to the Yuki UI.
Go to the Security page.
Locate the Keypair Authentication section.
For each service user, provide:
Username (e.g.,
dbt_user
)Private Key (paste content of
private_key.pem
)Passphrase (if used during key creation)
Click Add Authentication.
Yuki will securely store the key in AWS Secrets Manager on your behalf.
Option 2 - Reference Key from AWS Secrets Manager
Use this option if you already store your Snowflake keys in AWS Secrets Manager and want Yuki to fetch them securely.
How It Works
The Snowflake private key remains in AWS Secrets Manager.
A cross-account IAM role is created with read-only access to the specific secret.
Yuki assumes this role (optionally with an ExternalId for additional security), and retrieves the key when establishing Snowflake sessions.
Prerequisites
The private key is stored in AWS Secrets Manager.
You have permissions in AWS to create IAM roles and policies.
Secret JSON format example:
{
"UserPrivateKey": "-----BEGIN ... KEY-----",
"PrivateKeyPassphrase": "xxx"
}
(Attribute names may be customized, e.g., UserPrivateKey
, PrivateKeyPassphrase
.)
Step 1 - Create IAM Role (Trust Policy)
Create an IAM role (e.g., YukiProxyReadKeysRole
) with the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:sts::406122784773:assumed-role/yuki-proxy-secret-access-role/external-secrets-provider-aws" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" }
}
}
]
}
Replace:
<EXTERNAL_ID>
→ (optional – if you don’t use ExternalId, omit the entireCondition
block).
Step 2 - Attach Permissions
Attach a permissions policy to allow access only to the specific secret (by ARN or by tag).
Option A - Resource by ARN
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadSpecificSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:secretsmanager:<region>:<your-account-id>:secret:<your-secret>"
}
]
}
Option B - Resource by Tag
Instead of listing specific ARNs, permissions can be scoped using tags. For example, to allow Yuki Proxy to access only secrets tagged with access=yuki-proxy
:
1. Add a tag to the secret in AWS Secrets Manager:
shared_secrets_tag = {
key = "access"
value = "yuki-proxy"
}
2. Update the IAM permissions policy to allow access by tag:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadSecretsByTag",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": { "aws:ResourceTag/access": "yuki-proxy" }
}
}
]
}
This ensures that Yuki can only access secrets that are explicitly tagged for proxy access.
Step 3 - Share Details with Yuki
Provide Yuki Support with:
Role ARN (e.g.,
arn:aws:iam::<your-account-id>:role/YukiProxyReadKeysRole)
ExternalId used in the trust policy
Step 4 - Configure in Yuki UI
Log in to the Yuki UI.
Navigate to Security → Keypair Authentication.
Enable Self-Stored Key
Enter the following:
Username (e.g.,
dbt_user
)AWS Secret Name (where the keypair is stored)
Private Key Property (e.g.,
UserPrivateKey
)Passphrase Property (e.g.,
PrivateKeyPassphrase
)Click Add Authentication.
Yuki will securely fetch the key from AWS Secrets Manager at runtime.
Final Note
Completing either Option 1 (Direct Upload) or Option 2 (AWS Secrets Manager) ensures a seamless transition to Keypair Authentication and uninterrupted access to Snowflake services. 🚀
Last updated