By Deiby Gómez
Snowflake is deprecating user/password authentication in favor of key pair authentication. This impacts AWS Lambda-based data pipelines that currently rely on legacy authentication. This article explains how to update your Lambda functions to use SSH key-based authentication when connecting to Snowflake. You’ll learn how to securely store your private key in AWS Secrets Manager, retrieve it from your Lambda, and establish a secure connection to Snowflake using a private key. This guide helps Data Engineers future-proof their serverless pipelines and align with modern security standards.
Generate your public key and private key:
Generate Private Key:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_priv_key_lambdas.priv;Generate Public Key:
openssl rsa -in rsa_priv_key_lambdas.priv -pubout -out rsa_pub_key_lambdas.pub
Create a new Snowflake User using your public key:
Copy the text in your public key and paste it here. This user will be used by your lambda.
CREATE OR REPLACE USER LAMBDAS
DEFAULT_ROLE = 'LAMBDAS_ROLE'
TYPE = SERVICE
RSA_PUBLIC_KEY='-----BEGIN PUBLIC KEY-----
MIIBIjaNBgkqhkiG9w0BAQIFAAOCAQ9AMIIBCgKCEQEAkdRh4Q8lxlKdkjI6QQLr
…
…
…
…
GaXC81d9P6PWud/AFwJ5123AOoXhrv7Ir1t7Ss+3qcgM2O4NawEnYAgTPPo3WfLV
YQIDAQAB
-----END PUBLIC KEY-----'
DEFAULT_WAREHOUSE = LAMBDAS_WH
COMMENT = 'Service User for lambdas';
Create an entry in AWS Secrets Manager:
Go to the “AWS Secrets Manager” section and click on “Store a new secret” button. Add your Private Key. We will use “lambdas/priv_key” entry as you can see in the following image:
Update your lambda policy:
Add to your lambda a new in-line policy. This IAM policy allows a Lambda function to retrieve the value of a secret stored in AWS Secrets Manager. Specifically, it grants the secretsmanager:GetSecretValue permission for any secret whose name starts with lambdas/priv_key in the us-east-1 region of account 123456. This is essential when securely accessing private SSH keys from within your Lambda function to authenticate against Snowflake, ensuring sensitive credentials are not exposed in the code or environment variables.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456:secret:lambdas/priv_key*"
}
]
}
Add some new libraries to your lambda:
#Keypair Auth
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import dsa
from cryptography.hazmat.primitives import serialization
Add a new procedure to your lambda to get the Key from AWS Secrets:
This procedure will do the work of getting the SSH Private Key from your AWS Secrets Manager and it will return the value.
def get_secret():
secret_name = "lambdas/priv_key"
region_name = "us-east-1"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
secret = get_secret_value_response['SecretString']
return secret
except Exception as e:
print ("Error: "+str(e))
Finally, update your lambda to authenticate using the SSH Key:
This code snippet demonstrates how to authenticate to Snowflake using an SSH key instead of a username and password, aligning with Snowflake’s move to deprecate password-based authentication. The private SSH key is securely retrieved from AWS Secrets Manager using the get_secret() function, then decrypted and serialized into the required binary format (PKCS8) for use by the Snowflake Python connector. By referencing credentials and secrets via environment variables and secure storage, this approach enhances security while enabling automated, passwordless authentication from AWS Lambda functions to Snowflake.
USER = os.environ.get('SNOWFLAKE_USER')
ACCOUNT = os.environ.get('SNOWFLAKE_ACCOUNT')
WAREHOUSE = os.environ.get('SNOWFLAKE_WAREHOUSE')
ROLE = os.environ.get('SNOWFLAKE_ROLE')
p_key= serialization.load_pem_private_key(
str(get_secret()).encode('ascii'),
password=os.environ.get('passphrase').encode('ascii'),
backend=default_backend()
)
pkb = p_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
conn = snowflake.connector.connect(
user=USER,
account=ACCOUNT,
#password=PASSWORD, #Deprecated
private_key=pkb,
warehouse=WAREHOUSE,
database=DATABASE,
schema=SCHEMA
)
Conclusion
Migrating to SSH key-based authentication for your Lambda-Snowflake integrations is not just a requirement—it’s an opportunity to strengthen your pipeline’s security posture. By leveraging AWS Secrets Manager to manage sensitive credentials and integrating key pair authentication, you reduce the risk of compromised passwords and ensure smoother compliance with Snowflake’s upcoming security policies. With these simple yet effective changes, your serverless architecture will be more secure, maintainable, and ready for the future of cloud data operations.
Deiby Gómez was the first Oracle ACE Director of Guatemala (2015-2023), he has 35 Technology certifications among them the highest certifications for Oracle Database (Oracle Certified Master, OCM) and three Advanced Snowflake Certifications (Architect, Administrator and Data Engineer). He is an engineer with two Master’s degrees and a future lawyer. Deiby has been a speaker in Technology Events in more than 12 countries including Oracle Open World in San Francisco. Most recently, Deiby was selected as a 2025 Snowflake Squad Member .
Is your organization adapting to remain competitive? In The Architect Room, we design a roadmap for the future of your digital organization, while capitalizing on current technology investments. Our knowledge spans all of the major public cloud providers. Visit Red Pill Analytics or feel free to reach out on Twitter, Facebook, and LinkedIn. For more data tips and tricks, check out our blogs or browse the RPA blogs at Medium.
