Enhancing Security with Key Pair Authentication: Connecting Amazon QuickSight and Snowflake

Navigating the Challenges of Cloud Data Integration with Modern Authentication Methods

Unlocking Secure Data Connectivity: Key Pair Authentication for Amazon QuickSight and Snowflake

Modern enterprises are increasingly challenged to connect their business intelligence platforms with cloud data warehouses while preserving seamless automation. Password-based authentication methods not only introduce security vulnerabilities but also create operational friction and compliance gaps—issues that become even more critical as platforms like Snowflake move towards deprecating username/password systems.

An Enhanced Solution: Key Pair Authentication

Amazon QuickSight, part of the Amazon Quick Suite, has recently adopted key pair authentication for integrations with Snowflake. Utilizing asymmetric cryptography, RSA key pairs now substitute traditional passwords. This pivotal enhancement not only addresses vulnerabilities associated with password-based systems but also aligns with Snowflake’s shift towards more secure authentication methodologies.

This blog post will guide you step-by-step on establishing secure data source connectivity between Amazon QuickSight and Snowflake using this new key pair authentication feature.

Prerequisites

Before diving into the configurations, ensure you have the following:

1. Amazon QuickSight Account: Ensure you have administrative access to create and manage data sources and grant permissions.
2. Snowflake Account: You need roles like ACCOUNTADMIN, SECURITYADMIN, or USERADMIN to modify user accounts and grant necessary permissions.
3. OpenSSL Installed: Required for RSA key pair generation. Most systems come with OpenSSL pre-installed.
4. (Optional) AWS Secrets Manager Access: If you plan to set up programmatically, IAM permissions will be necessary.

Solution Walkthrough

We will break down the essential steps needed to establish secure key pair authentication between Amazon QuickSight and Snowflake:

1. Generate an RSA Key Pair
2. Configure Your Snowflake User
3. Establish Data Source Connectivity

Step 1: Generate RSA Key Pair

Open AWS CloudShell in the AWS Management Console and run the following command to generate your RSA private key:

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

Next, create your public key:

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

To extract your private key content, display it as follows:

cat rsa_key.p8

Copy the entire output, including the header and footer.

Now, format the public key to meet Snowflake’s specifications:

grep -v KEY rsa_key.pub | tr -d '\n' | awk '{print $1}' > pub.Key
cat pub.Key

Note: Copy the formatted public key; you will use it in the next step.

Step 2: Assign Public Key to Snowflake User

Log in to your Snowflake account and execute:

ALTER USER <username> SET RSA_PUBLIC_KEY='<your_public_key>';

Verify the key assignment:

DESCRIBE USER <username>;

Step 3: Establishing Your Data Source in Amazon QuickSight

Using Amazon QuickSight UI

1. Navigate to the Datasets section in the AWS Management Console, then select the Data sources tab.
2. Choose “Create data source”.
3. Select “Snowflake” and click Next.
4. Enter the required fields such as host name, database name, and authentication type as "KeyPair".
5. Paste the private key and passphrase (if used).
6. Validate and create the data source.

Using Amazon QuickSight API (AWS CLI)

To create the data source programmatically, execute the following command:

aws quicksight create-data-source \
  --aws-account-id 123456789 \
  --data-source-id awsclikeypairtest \
  --name "awsclikeypairtest" \
  --type SNOWFLAKE \
  --data-source-parameters '{
    "SnowflakeParameters": {
      "Host": "hostname.snowflakecomputing.com",
      "Database": "DB_NAME",
      "Warehouse": "WH_NAME",
      "AuthenticationType": "KEYPAIR"
    }
  }' \
  --credentials '{
    "KeyPairCredentials": {
      "KeyPairUsername": "SNOWFLAKE_USERNAME",
      "PrivateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nPRIVATE_KEY\n-----END ENCRYPTED PRIVATE KEY-----",
      "PrivateKeyPassphrase": "******"
    }
  }' \
  --permissions '[{
    "Principal": "arn:aws:quicksight:us-east-1:123456789:user/default/Admin/username",
    "Actions": ["quicksight:DescribeDataSource", "quicksight:UpdateDataSource"]
  }]' \
  --region us-east-1

Check the status of your data source:

aws quicksight describe-data-source --region us-east-1 --aws-account-id 123456789 --data-source-id awsclikeypairtest

Once your data source transitions from CREATION_IN_PROGRESS to CREATION_SUCCESSFUL, your connection is ready to use!

Cleanup

To avoid incurring additional charges:

1. Delete the created secret in AWS Secrets Manager.
2. Remove the data source connection in Amazon QuickSight.

Conclusion

Key pair authentication is a significant step forward in securing data connectivity between Amazon QuickSight and Snowflake. By eliminating password vulnerabilities, organizations can improve their security posture and streamline automated workflows. Whether you prefer the user-friendly Amazon QuickSight UI or the flexibility of AWS CLI, securing your connections with key pairs represents a best practice in today’s evolving data landscape.

Embrace these innovations to enable your business intelligence teams to extract actionable insights faster and with less authentication complexity.

For further reading on Snowflake Key-Pair Authentication, check out the official documentation.

About the Authors

Vignessh Baskaran – Sr. Technical Product Manager at Amazon Quick, with expertise in large-scale data analytics solutions.

Chinnakanu Sai Janakiram – Software Development Engineer at Amazon Quick, specializing in cloud infrastructure automation.

Nithyashree Alwarsamy – Partner Solutions Architect at AWS, focusing on data analytics solutions.

Andries Engelbrecht – Principal Partner Solutions Engineer at Snowflake, with vast experience in data and analytics.