Snowflake Destination FAQs

Is it required to switch my Snowflake authentication method to Key Pair?

See the following deep dive on the upcoming Snowflake authentication updates for your customers including timeline and migration steps: Preparing for Snowflake Password Deprecation. Continue reading below for additional information on managing this migration successfully alongside your customers.

How do I generate and promote a public key for Key-Pair Authentication for a Snowflake destination within Prequel?

You can stage and promote a public key directly within the Admin UI or via the Prequel API for a new or existing destination:

Admin UI
1. When creating a new or editing an existing destination, you will see an option to switch Auth method from User/Password to Key Auth. Prequel will automatically generate a public key for you.
  1. Note: You will need to first select a valid Recipient before a public key can be generated, as the key is staged to a Recipient before being promoted to a destination.
2. Share this public key with your customer so they can add it to their Snowflake user. See the main Snowflake destination documentation for your customer's next steps: Snowflake.
  1. Note: Newly generated public keys will expire after 30 days if not successfully promoted as described below.
3. Once your customer confirms the key has been added to their Snowflake environment, you can return to the Prequel Admin UI to complete creating the new destination or editing the existing one.
  1. Note: Prequel will input the same public key into the destination form after one has been generated and staged for a given recipient. In other words, you can return to editing or creating a destination without saving and preserve the public key shared with your customer will remain valid.
4. Once the new or existing destination is successfully saved, this promotes the public key within Prequel.
Prequel API
1. Use the Create SSH Key endpoint to generate a key pair. The public_key that you will need to provide to your customer for their Snowflake user will be returned in the API response.
2. Make a POST or PATCH request to the Create Destination or Update Destination endpoints, providing the public key to promote it within Prequel.

How do I rotate a customer's Snowflake key for an existing destination on key auth with no down time? Do Snowflake keys rotate automatically?

Follow the steps above to stage a new public key from either the Admin UI or Prequel API.
Your customer should add this new key to their existing Snowflake user as RSA_PUBLIC_KEY_2, which allows both the old and new keys to be active in Snowflake simultaneously.
Once the new key is added in Snowflake, return to the Prequel Admin UI (or use the API) to update the existing destination, selecting the newly generated public key.
Saving the destination in Prequel promotes the new key, causing Prequel to immediately begin authenticating with Snowflake using the private key corresponding to RSA_PUBLIC_KEY_2. Since both keys are active in Snowflake, this ensures a seamless transition with no downtime.

Snowflake keys are not rotated automatically - Prequel enables you to manage key rotation on behalf of your customers.

Can my customer bring their own public key?

No, Prequel does not currently support customers bringing their own public key for Snowflake authentication. For robust security and to ensure the private key never leaves our secure premises, Prequel generates and securely manages the entire key pair.

My customer has multiple Snowflake destinations. Can they reuse a public key across destinations?

No, it is not possible to reuse a Snowflake key across multiple destinations. Each destination requires a distinct key.

My customer is already using `RSA_PUBLIC_KEY` for another service. How should they proceed?

Your customer can use RSA_PUBLIC_KEY_2 on the same Snowflake user.