Brainforge Internal Snowflake: Key-Pair Auth Setup
Use key-pair auth so the Snowflake CLI (and audit script) can connect without password or MFA. Full reference: key-pair-authentication.md.
1. Generate RSA key pair
Run in a directory you won’t commit (e.g. home or a local ./keys):
mkdir -p ~/.snowflake-keys-brainforge-internal
cd ~/.snowflake-keys-brainforge-internal
# Private key (PKCS#8, no passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
# Public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
# Restrict private key
chmod 600 rsa_key.p82. Add public key to your Snowflake user
You need to run this in Snowflake once. Use the Snowsight UI (browser login with password/MFA) if CLI password auth is failing.
-
Public key as a single line (no headers/footers):
# macOS (BSD head doesn't support -n -1) sed '1d;$d' rsa_key.pub | tr -d '\n'On Linux you can also use:
tail -n +2 rsa_key.pub | head -n -1 | tr -d '\n'Copy the output (e.g.
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...). -
In Snowflake (Snowsight or any SQL client), run:
ALTER USER <your_username> SET RSA_PUBLIC_KEY = '<paste-single-line-public-key>';Replace
<your_username>with your Snowflake username (same as in 1Password “Brainforge Internal Snowflake”, e.g.UTTAMoruttam@brainforge.ai). -
Check it’s set:
DESC USER <your_username>;Confirm
RSA_PUBLIC_KEY_FPis non-null.
3. Configure Snowflake CLI to use the key
Option A: Replace the existing brainforge-internal connection
Remove the old connection, then add one that uses the key (no password):
snow connection remove brainforge-internal
snow connection add \
-n brainforge-internal \
--account "my64480.us-east-2.aws" \
--user "<your_username>" \
--authenticator "SNOWFLAKE_JWT" \
--private-key-path "$HOME/.snowflake-keys-brainforge-internal/rsa_key.p8" \
--role "ACCOUNTADMIN" \
--warehouse "WAREHOUSE_DEVELOPER" \
--no-interactiveOption B: Use env var for the key path
If you don’t want the path in the config file:
export SNOWFLAKE_PRIVATE_KEY_PATH="$HOME/.snowflake-keys-brainforge-internal/rsa_key.p8"Then in ~/.snowflake/connections.toml the connection can omit the password and use the key (CLI will use SNOWFLAKE_PRIVATE_KEY_PATH when set).
4. Test and run the audit
snow connection test -c brainforge-internal
snow sql -c brainforge-internal -q "SELECT CURRENT_USER(), CURRENT_ROLE();"Then from the repo root:
./knowledge/engineering/data-platform/scripts/audit-snowflake-internal.sh --audit-only
./knowledge/engineering/data-platform/scripts/audit-snowflake-internal.sh --roles-only5. (Optional) Store private key in 1Password
So you don’t rely only on a local file:
op item edit "Brainforge Internal Snowflake" --vault "Employee" \
"private_key[text]=$(cat ~/.snowflake-keys-brainforge-internal/rsa_key.p8)"Then you can use it from scripts (e.g. op read "op://Employee/Brainforge Internal Snowflake/private_key") and keep rsa_key.p8 out of git. Do not commit ~/.snowflake-keys-brainforge-internal/ or any *.p8 files.
Troubleshooting
| Error | What to check |
|---|---|
| Invalid key pair | Public key in Snowflake matches the key pair; username is correct; no extra spaces/newlines in the pasted key. |
| Private key format | Key is PKCS#8 (e.g. openssl pkcs8 -in rsa_key.p8 -nocrypt works). |
| Connection still fails | Run DESC USER <your_username>; ensure RSA_PUBLIC_KEY_FP is set. Use --authenticator SNOWFLAKE_JWT and --private-key-path (no password). |