Authenticate to Snowflake Using Key Pair or PAT in Data Fusion
The Snowflake connector enables Data Fusion to access data stored in Snowflake using JDBC-based connectivity. It allows you to configure secure connections to Snowflake’s compute layer and integrate Snowflake data into your data pipelines.
Data Fusion supports multiple authentication methods for Snowflake connections, including Key Pair (RSA) and token-based authentication (PAT). As Snowflake enforces stronger security controls such as multi-factor authentication (MFA), non-interactive authentication methods like PAT and Key Pair are recommended for service-based access.
Configure the connector by providing connection details such as server endpoint, warehouse, and database, along with the selected authentication method.
The following section describes how to configure a Snowflake connection using Key Pair (RSA) authentication.
Before you begin
Obtain the following from your Snowflake administrator:
- Username
- Account endpoint (for example, <account>.snowflakecomputing.com)
- Warehouse
- Database
- Private key (.p8 file)
Ensure that:
- The corresponding public key is registered for the Snowflake user
- Your user has access to the specified warehouse and database
- If using an encrypted private key, the passphrase is available
Add a Snowflake data source
- Open your application in C3 AI Studio
- Navigate to Data Fusion
- In the Data Sources panel, select Add data source
- Select Snowflake
- Select Next
Configure connector details
Enter:
- Name — Identifier for the connector
- Description — Optional description
Configure authentication
Set Auth Method to Keypair (RSA)
Provide the following:
Connection fields
- username — Snowflake user name
- warehouse — Existing Snowflake warehouse
- port — 443
- serverEndpoint — Snowflake account endpoint (for example, <account>.snowflakecomputing.com)
- database — Target Snowflake database
Key pair fields
privateKey — Paste the full contents of the .p8 file, including:
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
passphrase — Enter the passphrase if the private key is encrypted. If the key is not encrypted, leave this field blank
Configure using Token-based Authentication (PAT)
To configure a Snowflake connection using a Programmatic Access Token (PAT):
- Select Programmatic Access Token (PAT) as the authentication method
- Enter the username
- Provide the server endpoint, warehouse, and database
- Enter the PAT in the programmaticAccessToken field
Use PAT-based authentication in environments where multi-factor authentication (MFA) is enabled or password-based authentication is not supported. PAT provides a secure, non-interactive alternative for programmatic access.
Validate the connection
Select Save and Test to validate the configuration.
If validation fails, verify authentication details, key configuration, and environment availability before retrying.
Continue the data integration workflow
After the connection is validated:
- Define the schema for the Snowflake source
- Map the source data to a canonical
- Configure transformations as needed
Troubleshoot Snowflake connections
Authentication failed
- Verify that the public key corresponding to the private key is registered for the Snowflake user
- Confirm that the username matches the configured key
Invalid private key
- Ensure the .p8 contents are pasted exactly, including headers and line breaks
- Confirm the key is in PKCS#8 (PEM) format
Encrypted private key errors
If validation fails with errors related to encrypted data or cipher finalization:
- Verify that the correct passphrase is provided
- Alternatively, use an unencrypted private key
Connection fails during validation
- Verify the serverEndpoint is correct
- Confirm the warehouse and database exist and are accessible
- Ensure the environment is running before validating the connection
Key considerations
- Key pair authentication requires the public key to be configured in Snowflake for the user
- The private key must be kept secure and should not be shared or committed to source control
- Ensure all connection fields match the Snowflake account configuration