Snowflake Authentication

This guide describes how to configure and use Snowflake authentication through the Package Manager CLI (rspm).

Overview

When Package Manager is deployed on Snowflake, it is hosted on Snowflake domains (*.snowflakecomputing.app or *.snowflake.app). To authenticate requests to these instances, the CLI uses a combination of:

1. Package Manager tokens - Standard PPM authentication tokens
2. Snowflake access tokens - Generated on-demand using Snowflake key-pair authentication

This dual-authentication approach allows the CLI to seamlessly work with Package Manager instances running on Snowflake.

How It Works

Authentication Flow

1. Configuration: Snowflake connection details are stored in connections.toml or config.toml files in standard Snowflake configuration directories
2. Login: User runs rspm login or rspm login sso with the --snowflake-connection flag
3. Connection Storage: The PPM SSO token and Snowflake connection name are stored in ~/.ppm/tokens.toml for the provided address
4. On-Demand Token Generation: When making requests to Snowflake domains:
   • Private key is loaded from the file specified in the connection
   • JWT token is generated with account, user, and public key information
   • JWT is exchanged with Snowflake’s OAuth endpoint for an access token
   • Token is used immediately (not cached)

Authorization Headers

When making requests to Snowflake domains (ending in .snowflakecomputing.app or .snowflake.app), the client uses: - Authorization: Snowflake Token=<snowflake-access-token> - X-PPM-Authorization: Bearer <ppm-sso-token>

Configuration

Snowflake Connection File

Create a connections.toml file in one of these locations (checked in order):

1. $SNOWFLAKE_HOME/connections.toml

2. ~/.snowflake/connections.toml

3. $XDG_CONFIG_HOME/snowflake/connections.toml

4. Platform-specific defaults:

   • Linux: ~/.config/snowflake/connections.toml
   • macOS: ~/Library/Application Support/snowflake/connections.toml
   • Windows: %USERPROFILE%\AppData\Local\snowflake\connections.toml

Alternatively, use config.toml with connections under [connections.<name>] sections.

connections.toml Format

[my-connection]
account = "myorg-myaccount"
user = "myuser@example.com"
private_key_file = "/path/to/private_key.pem"
role = "MY_ROLE"  # Optional

[production]
account = "prodorg-prodaccount"
user = "produser@example.com"
private_key_file = "/home/user/.ssh/snowflake_prod_key.pem"

config.toml Format

[connections.my-connection]
account = "myorg-myaccount"
user = "myuser@example.com"
private_key_file = "/path/to/private_key.pem"
role = "MY_ROLE"  # Optional

Private Key Requirements

• Must be in PEM format (PKCS#8)
• Unencrypted (passphrase-protected keys are not currently supported)
• Generated using RSA algorithm

Example generation:

# Generate private key
openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out snowflake_key.pem

# Extract public key for Snowflake
openssl rsa -in snowflake_key.pem -pubout -out snowflake_key.pub

Important

After generating your key pair, you must add the public key to your Snowflake user account. See Snowflake Key Pair Authentication for instructions on configuring key-pair authentication in Snowflake.

Environment Variable Overrides

You can override connection settings using environment variables:

export SNOWFLAKE_CONNECTIONS_<CONNECTION_NAME>_ACCOUNT="override-account"
export SNOWFLAKE_CONNECTIONS_<CONNECTION_NAME>_USER="override-user@example.com"
export SNOWFLAKE_CONNECTIONS_<CONNECTION_NAME>_PRIVATE_KEY_FILE="/override/path/key.pem"
export SNOWFLAKE_CONNECTIONS_<CONNECTION_NAME>_ROLE="OVERRIDE_ROLE"

Connection name and field names are converted to uppercase.

Usage

Login with SSO

# Set the address to your Snowflake instance
rspm login sso \
  --address https://my-ppm-instance.snowflakecomputing.app \
  --snowflake-connection my-connection

# Or using environment variables
export PACKAGEMANAGER_ADDRESS=https://my-ppm-instance.snowflakecomputing.app
rspm login sso --snowflake-connection my-connection

Using Multiple Instances

One Snowflake connection can be used for multiple Package Manager instances:

# Login to first instance
rspm login sso \
  --address https://dev-ppm.snowflakecomputing.app \
  --snowflake-connection my-connection

# Login to second instance using the same Snowflake connection
rspm login sso \
  --address https://prod-ppm.snowflakecomputing.app \
  --snowflake-connection my-connection

Regular Operations

After login, use rspm commands normally:

# List repositories
rspm repo list --address https://my-ppm.snowflakecomputing.app

# Create a repository
rspm repo create --address https://my-ppm.snowflakecomputing.app --name myrepo

# Snowflake tokens are generated on-demand for each request

Token Storage

Connection details are stored in ~/.ppm/tokens.toml:

[[connections]]
address = "https://my-ppm.snowflakecomputing.app"
token = "eyJraWQiOiJrZXk..."  # PPM SSO token
auth_type = "snowflake"
snowflake_connection = "my-connection"

Token Lifecycle

• Snowflake Tokens: Generated on-demand for each request (not cached)
  • Expires after ~1 hour (default)
  • No storage or expiration tracking needed
• PPM SSO Tokens: Managed according to standard PPM SSO token lifecycle
  • Expires after ~1 hour by default

Troubleshooting

“connection not found”

• Ensure your connections.toml file exists in one of the standard locations
• Verify the connection name matches exactly (case-sensitive)
• Check $SNOWFLAKE_HOME environment variable if using a custom location

“unable to generate Snowflake token”

• Verify the private key file exists and is readable
• Ensure the private key is in PKCS#8 PEM format
• Check that the account and user names are correct
• Verify network connectivity to https://<account>.snowflakecomputing.com
• Ensure the public key has been added to your Snowflake user account

“private_key_file is required”

• Add the private_key_file or private_key_path field to your connection configuration
• Ensure the path is absolute or relative to your home directory

“snowflake-connection can only be used with addresses ending in .snowflakecomputing.app or .snowflake.app”

• The --snowflake-connection flag is only valid for Snowflake domains
• Verify your address ends with .snowflakecomputing.app or .snowflake.app

Token Generation Failures

• Check that the Snowflake connection configuration is still valid
• Ensure the private key file hasn’t been moved or deleted
• Verify your Snowflake account credentials are still active
• Check network connectivity to https://<account>.snowflakecomputing.com/oauth/token
• Confirm the public key is properly configured in your Snowflake user account

Security Considerations

• Private keys are stored on disk with 0600 permissions (owner read/write only)
• Snowflake tokens are generated on-demand and not cached (expire after ~60 seconds)
• Connection details are stored in ~/.ppm/tokens.toml with 0600 permissions
• Never commit private keys or connection details to version control
• Use different private keys for different environments (dev/prod)
• Regularly rotate your Snowflake key pairs according to your organization’s security policies

Additional Resources

• Snowflake Key Pair Authentication
• Snowflake Python Connector Configuration
• Snowflake Ingress Authentication
• Admin CLI Remote Use