feat(snowflake-driver): Ability to use encrypted private keys for auth (cube-js#9371)

KSDaemon · marianore-muttdata · commit 4202501e4a4c · 2025-06-17T11:14:09.000-03:00
* feat(snowflake-driver): Ability to use encrypted private keys for auth

* update snowflake docs

* add snowflake-encrypted-pk to ci drivers tests

* fix

* add missing secrets
diff --git a/.github/workflows/drivers-tests.yml b/.github/workflows/drivers-tests.yml
@@ -213,6 +213,7 @@ jobs:
         redshift
         redshift-export-bucket-s3
         snowflake
+        snowflake-encrypted-pk
         snowflake-export-bucket-s3
         snowflake-export-bucket-azure
         snowflake-export-bucket-azure-via-storage-integration
@@ -242,6 +243,7 @@ jobs:
           - redshift
           - redshift-export-bucket-s3
           - snowflake
+          - snowflake-encrypted-pk
           - snowflake-export-bucket-s3
           - snowflake-export-bucket-azure
           - snowflake-export-bucket-azure-via-storage-integration
@@ -340,6 +342,8 @@ jobs:
           # Snowflake
           DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_USER: ${{ secrets.DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_USER }}
           DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PASS: ${{ secrets.DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PASS }}
+          DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY: ${{ secrets.DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY }}
+          DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS: ${{ secrets.DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS }}
         with:
           max_attempts: 3
           retry_on: error
diff --git a/docs/pages/product/configuration/data-sources/snowflake.mdx b/docs/pages/product/configuration/data-sources/snowflake.mdx
@@ -12,16 +12,16 @@ redirect_from:
 - [The region][snowflake-docs-regions] for the [Snowflake][snowflake] warehouse
 - The username/password for the [Snowflake][snowflake] account
 
-## Snowflake quoted identifiers 
+## Snowflake quoted identifiers
 
-Due to an issue in snowflakes opinion about quoted identifers we set a session value to override 
+Due to an issue in snowflakes opinion about quoted identifers we set a session value to override
 snowflake defaults for users that have set an account value for: QUOTED_IDENTIFIERS_IGNORE_CASE
 you can learn more about this here: https://docs.snowflake.com/en/sql-reference/identifiers-syntax#double-quoted-identifiers
 
 ## Setup
 
 <WarningBox>
-If you're having Network error and Snowflake can't be reached please make sure you tried 
+If you're having Network error and Snowflake can't be reached please make sure you tried
 [format 2 for an account id][snowflake-format-2].
 </WarningBox>
 
@@ -65,21 +65,25 @@ if [dedicated infrastructure][ref-dedicated-infra] is used. Check out the
 
 ## Environment Variables
 
-| Environment Variable                            | Description                                                                                                                                         | Possible Values                                                        | Required |
-| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | :------: |
-| `CUBEJS_DB_SNOWFLAKE_ACCOUNT`                   | The Snowflake account identifier to use when connecting to the database                                                                             | [A valid Snowflake account ID][snowflake-docs-account-id]              |    ✅    |
-| `CUBEJS_DB_SNOWFLAKE_REGION`                    | The Snowflake region to use when connecting to the database                                                                                         | [A valid Snowflake region][snowflake-docs-regions]                     |    ❌    |
-| `CUBEJS_DB_SNOWFLAKE_WAREHOUSE`                 | The Snowflake warehouse to use when connecting to the database                                                                                      | [A valid Snowflake warehouse][snowflake-docs-warehouse] in the account |    ✅    |
-| `CUBEJS_DB_SNOWFLAKE_ROLE`                      | The Snowflake role to use when connecting to the database                                                                                           | [A valid Snowflake role][snowflake-docs-roles] in the account          |    ❌    |
-| `CUBEJS_DB_SNOWFLAKE_CLIENT_SESSION_KEEP_ALIVE` | If `true`, [keep the Snowflake connection alive indefinitely][snowflake-docs-connection-options]                                                    | `true`, `false`                                                        |    ❌    |
-| `CUBEJS_DB_NAME`                                | The name of the database to connect to                                                                                                              | A valid database name                                                  |    ✅    |
-| `CUBEJS_DB_USER`                                | The username used to connect to the database                                                                                                        | A valid database username                                              |    ✅    |
-| `CUBEJS_DB_PASS`                                | The password used to connect to the database                                                                                                        | A valid database password                                              |    ✅    |
-| `CUBEJS_DB_SNOWFLAKE_AUTHENTICATOR`             | The type of authenticator to use with Snowflake. Use `SNOWFLAKE` with username/password, or `SNOWFLAKE_JWT` with key pairs. Defaults to `SNOWFLAKE` | `SNOWFLAKE`, `SNOWFLAKE_JWT`                                           |    ❌    |
-| `CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PATH`          | The path to the private RSA key folder                                                                                                              | A valid path to the private RSA key                                    |    ❌    |
-| `CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS`          | The password for the private RSA key. Only required for encrypted keys                                                                              | A valid password for the encrypted private RSA key                     |    ❌    |
-| `CUBEJS_DB_MAX_POOL`                            | The maximum number of concurrent database connections to pool. Default is `20`                                                                      | A valid number                                                         |    ❌    |
-| `CUBEJS_CONCURRENCY` | The number of [concurrent queries][ref-data-source-concurrency] to the data source | A valid number |    ❌    |
+| Environment Variable                                 | Description                                                                                                                                         | Possible Values                                                        | Required |
+| ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | :------: |
+| `CUBEJS_DB_SNOWFLAKE_ACCOUNT`                        | The Snowflake account identifier to use when connecting to the database                                                                             | [A valid Snowflake account ID][snowflake-docs-account-id]              |    ✅    |
+| `CUBEJS_DB_SNOWFLAKE_REGION`                         | The Snowflake region to use when connecting to the database                                                                                         | [A valid Snowflake region][snowflake-docs-regions]                     |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_WAREHOUSE`                      | The Snowflake warehouse to use when connecting to the database                                                                                      | [A valid Snowflake warehouse][snowflake-docs-warehouse] in the account |    ✅    |
+| `CUBEJS_DB_SNOWFLAKE_ROLE`                           | The Snowflake role to use when connecting to the database                                                                                           | [A valid Snowflake role][snowflake-docs-roles] in the account          |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_CLIENT_SESSION_KEEP_ALIVE`      | If `true`, [keep the Snowflake connection alive indefinitely][snowflake-docs-connection-options]                                                    | `true`, `false`                                                        |    ❌    |
+| `CUBEJS_DB_NAME`                                     | The name of the database to connect to                                                                                                              | A valid database name                                                  |    ✅    |
+| `CUBEJS_DB_USER`                                     | The username used to connect to the database                                                                                                        | A valid database username                                              |    ✅    |
+| `CUBEJS_DB_PASS`                                     | The password used to connect to the database                                                                                                        | A valid database password                                              |    ✅    |
+| `CUBEJS_DB_SNOWFLAKE_AUTHENTICATOR`                  | The type of authenticator to use with Snowflake. Use `SNOWFLAKE` with username/password, or `SNOWFLAKE_JWT` with key pairs. Defaults to `SNOWFLAKE` | `SNOWFLAKE`, `SNOWFLAKE_JWT`, `OAUTH`                                  |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY`                    | The content of the private RSA key                                                                                                                  | Content of the private RSA key (encrypted or not)                      |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PATH`               | The path to the private RSA key                                                                                                                     | A valid path to the private RSA key                                    |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS`               | The password for the private RSA key. Only required for encrypted keys                                                                              | A valid password for the encrypted private RSA key                     |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_OAUTH_TOKEN_PATH`               | The path to the valid oauth toket file                                                                                                              | A valid path for the oauth token file                                  |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_HOST`                           | Host address to which the driver should connect                                                                                                     | A valid hostname                                                       |    ❌    |
+| `CUBEJS_DB_SNOWFLAKE_QUOTED_IDENTIFIERS_IGNORE_CASE` | Whether or not quoted identifiers should be case insensitive. Default is `false`                                                                    | `true`, `false`                                                        |    ❌    |
+| `CUBEJS_DB_MAX_POOL`                                 | The maximum number of concurrent database connections to pool. Default is `20`                                                                      | A valid number                                                         |    ❌    |
+| `CUBEJS_CONCURRENCY`                                 | The number of [concurrent queries][ref-data-source-concurrency] to the data source                                                                  | A valid number                                                         |    ❌    |
 
 [ref-data-source-concurrency]: /product/configuration/concurrency#data-source-concurrency
 
@@ -160,8 +164,8 @@ CUBEJS_DB_EXPORT_INTEGRATION=gcs_int
 
 #### Azure
 
-To use Azure Blob Storage as an export bucket, follow [the guide on 
-using a Snowflake storage integration (Option 1)][snowflake-docs-azure]. 
+To use Azure Blob Storage as an export bucket, follow [the guide on
+using a Snowflake storage integration (Option 1)][snowflake-docs-azure].
 Take note of the integration name (`azure_int` from the example link)
 as you'll need it to configure Cube.
 
diff --git a/packages/cubejs-snowflake-driver/src/SnowflakeDriver.ts b/packages/cubejs-snowflake-driver/src/SnowflakeDriver.ts
@@ -22,6 +22,7 @@ import {
 } from '@cubejs-backend/base-driver';
 import { formatToTimeZone } from 'date-fns-timezone';
 import fs from 'fs/promises';
+import crypto from 'crypto';
 import { HydrationMap, HydrationStream } from './HydrationStream';
 
 const SUPPORTED_BUCKET_TYPES = ['s3', 'gcs', 'azure'];
@@ -245,8 +246,30 @@ export class SnowflakeDriver extends BaseDriver implements DriverInterface {
       assertDataSource('default');
 
     let privateKey = getEnv('snowflakePrivateKey', { dataSource });
-    if (privateKey && !privateKey.endsWith('\n')) {
-      privateKey += '\n';
+
+    if (privateKey) {
+      // If the private key is encrypted - we need to decrypt it before passing to
+      // snowflake sdk.
+      if (privateKey.includes('BEGIN ENCRYPTED PRIVATE KEY')) {
+        const keyPasswd = getEnv('snowflakePrivateKeyPass', { dataSource });
+
+        if (!keyPasswd) {
+          throw new Error(
+            'Snowflake encrypted private key provided, but no passphrase was given.'
+          );
+        }
+
+        const privateKeyObject = crypto.createPrivateKey({
+          key: privateKey,
+          format: 'pem',
+          passphrase: keyPasswd
+        });
+
+        privateKey = privateKeyObject.export({
+          format: 'pem',
+          type: 'pkcs8'
+        });
+      }
     }
 
     snowflake.configure({ logLevel: 'OFF' });
@@ -266,7 +289,7 @@ export class SnowflakeDriver extends BaseDriver implements DriverInterface {
       oauthTokenPath: getEnv('snowflakeOAuthTokenPath', { dataSource }),
       privateKeyPath: getEnv('snowflakePrivateKeyPath', { dataSource }),
       privateKeyPass: getEnv('snowflakePrivateKeyPass', { dataSource }),
-      privateKey,
+      ...(privateKey ? { privateKey } : {}),
       exportBucket: this.getExportBucket(dataSource),
       resultPrefetch: 1,
       executionTimeout: getEnv('dbQueryTimeout', { dataSource }),
diff --git a/packages/cubejs-testing-drivers/fixtures/snowflake.json b/packages/cubejs-testing-drivers/fixtures/snowflake.json
@@ -40,6 +40,15 @@
           "CUBEJS_DB_EXPORT_GCS_CREDENTIALS": "${DRIVERS_TESTS_CUBEJS_DB_EXPORT_GCS_CREDENTIALS}"
         }
       }
+    },
+    "encrypted-pk": {
+      "cube": {
+        "environment": {
+          "CUBEJS_DB_SNOWFLAKE_AUTHENTICATOR": "SNOWFLAKE_JWT",
+          "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY}",
+          "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS}"
+        }
+      }
     }
   },
   "cube": {
diff --git a/packages/cubejs-testing-drivers/package.json b/packages/cubejs-testing-drivers/package.json
@@ -44,6 +44,7 @@
     "snowflake-driver": "yarn test-driver -i dist/test/snowflake-driver.test.js",
     "snowflake-core": "yarn test-driver -i dist/test/snowflake-core.test.js",
     "snowflake-full": "yarn test-driver -i dist/test/snowflake-full.test.js",
+    "snowflake-encrypted-pk-full": "yarn test-driver -i dist/test/snowflake-encrypted-pk-full.test.js",
     "snowflake-export-bucket-s3-full": "yarn test-driver -i dist/test/snowflake-export-bucket-s3-full.test.js",
     "snowflake-export-bucket-azure-full": "yarn test-driver -i dist/test/snowflake-export-bucket-azure-full.test.js",
     "snowflake-export-bucket-azure-via-storage-integration-full": "yarn test-driver -i dist/test/snowflake-export-bucket-azure-via-storage-integration-full.test.js",
diff --git a/packages/cubejs-testing-drivers/test/__snapshots__/snowflake-encrypted-pk-full.test.ts.snap b/packages/cubejs-testing-drivers/test/__snapshots__/snowflake-encrypted-pk-full.test.ts.snap
diff --git a/packages/cubejs-testing-drivers/test/snowflake-encrypted-pk-full.test.ts b/packages/cubejs-testing-drivers/test/snowflake-encrypted-pk-full.test.ts

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,15 @@`
`40`	`40`	`"CUBEJS_DB_EXPORT_GCS_CREDENTIALS": "${DRIVERS_TESTS_CUBEJS_DB_EXPORT_GCS_CREDENTIALS}"`
`41`	`41`	`}`
`42`	`42`	`}`
	`43`	`+ },`
	`44`	`+ "encrypted-pk": {`
	`45`	`+ "cube": {`
	`46`	`+ "environment": {`
	`47`	`+ "CUBEJS_DB_SNOWFLAKE_AUTHENTICATOR": "SNOWFLAKE_JWT",`
	`48`	`+ "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY}",`
	`49`	`+ "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS}"`
	`50`	`+ }`
	`51`	`+ }`
`43`	`52`	`}`
`44`	`53`	`},`
`45`	`54`	`"cube": {`