snowflake retl source - key pair support

forstisabella · forstisabella · commit 0b5a4ca8e51b · 2024-05-16T17:43:08.000-04:00
diff --git a/src/connections/reverse-etl/reverse-etl-source-setup-guides/snowflake-setup.md b/src/connections/reverse-etl/reverse-etl-source-setup-guides/snowflake-setup.md
@@ -7,10 +7,13 @@ redirect_from:
 
 Set up Snowflake as your Reverse ETL source. 
 
-At a high level, when you set up Snowflake for Reverse ETL,  the configured user/role needs read permissions for any resources (databases, schemas, tables) the query needs to access. Segment keeps track of changes to your query results with a managed schema (`__SEGMENT_REVERSE_ETL`), which requires the configured user to allow write permissions for that schema.
+At a high level, when you set up Snowflake for Reverse ETL, the configured user/role needs read permissions for any resources (databases, schemas, tables) the query needs to access. Segment keeps track of changes to your query results with a managed schema (`__SEGMENT_REVERSE_ETL`), which requires the configured user to allow write permissions for that schema.
+
+> success ""
+> Segment now supports key-pair authentication for Snowflake Reverse ETL sources.
 
 ## Set up guide
-Follow the instructions below to set up the Segment Snowflake connector. Segment recommends you use the `ACCOUNTADMIN` role to execute all the commands below.
+Follow the instructions below to set up the Segment Snowflake connector. Segment recommends you use the `ACCOUNTADMIN` role to execute all the commands below, and that you create a user that authenticates with a key pair.
 
 1. Log in to your Snowflake account.
 2. Navigate to *Worksheets*.
@@ -47,10 +50,23 @@ Follow the instructions below to set up the Segment Snowflake connector. Segment
    GRANT USAGE ON DATABASE segment_reverse_etl TO ROLE segment_reverse_etl;
    GRANT CREATE SCHEMA ON DATABASE segment_reverse_etl TO ROLE segment_reverse_etl;
    ```
-6. Enter and run the code below to create the username and password combination that will be used to execute queries. Make sure to enter your password where it says `my_strong_password`.
+6. Enter and run one of the following code snippets below to create the user Segment will use to run queries. Segment recommends creating a user that authenticates using a key pair. 
+
+   To create a user that authenticates with a key pair, [create a key pair](https://docs.snowflake.com/en/user-guide/key-pair-auth){:target="_blank”} and then execute the following SQL commands: 
+   ``` sql
+   -- create user (key-pair authentication)
+   CREATE USER segment_reverse_etl_user
+   DEFAULT_ROLE = segment_reverse_etl
+   RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...'
+   RSA_PUBLIC_KEY_FP = 'enter the passphrase you created';
+
+   -- role access
+   GRANT ROLE segment_reverse_etl TO USER segment_reverse_etl_user;
+   ```
 
+   To create a user that authenticates with a password, execute the following SQL commands:
    ```sql
-   -- create user
+   -- create user (password authentication)
    CREATE USER segment_reverse_etl_user
     MUST_CHANGE_PASSWORD = FALSE
     DEFAULT_ROLE = segment_reverse_etl
diff --git a/src/connections/storage/catalog/snowflake/index.md b/src/connections/storage/catalog/snowflake/index.md
@@ -118,7 +118,7 @@ Now, create a new user by executing the following SQL command, replacing the pub
 
 ``` sql
 CREATE USER SEGMENT_USER 
-  DEFAULT_ROLE = "SEGMENT"
+  DEFAULT_ROLE = SEGMENT
   RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...'
   RSA_PUBLIC_KEY_FP = 'enter the passphrase you created';
 GRANT ROLE "SEGMENT" TO USER "SEGMENT_USER";
@@ -221,6 +221,9 @@ After configuring your Snowflake resources, connect them to Segment.
   If you selected Key pair as your authentication method: 
   - **Private key**: Upload your private key (stored in .p8 format) that you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
   - **Passphrase** _(Optional)_ : If you created an encrypted key, enter the passphrase you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
+
+  > info "Segment supports uploading one key at a time"
+  > Although you can create up to two keys in Snowflake, Segment only supports authenticating with one key at a time. To change the key that is in Segment, return to your Snowflake destination's settings and upload a new key in the **Private Key** field.  
   
   If you selected Password as your authentication method:
   - **Password**: The password that you set in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
@@ -243,6 +246,8 @@ At this time, the Segment Snowflake destination is not compatible with Snowflake
 
 Segment recommends that you authenticate with your Snowflake warehouse using key-pair authentication. Key-pair authentication uses PKCS#8 private keys, which are typically exchanged in the PEM base64-encoded format. 
 
+Although you can create up to two keys in Snowflake, Segment only supports authenticating with one key at a time. To change the key that is in Segment, return to your Snowflake destination's settings and upload a new key in the **Private Key** field.
+
 ### Auto Suspend and Auto Resume
 
 Set `AUTO_SUSPEND` to ~10 minutes in the UI (or 600 if using SQL) to minimize the credit consumption of Segment's syncing process.
