Add key-pair auth option to storage dest docs

forstisabella · forstisabella · commit 782a871a5eae · 2024-05-16T17:11:11.000-04:00
diff --git a/src/connections/storage/catalog/snowflake/index.md b/src/connections/storage/catalog/snowflake/index.md
@@ -86,7 +86,46 @@ GRANT CREATE SCHEMA ON DATABASE "SEGMENT_EVENTS" TO ROLE "SEGMENT";
 
 ### Step 4: Create a user for Segment
 
-Create the user that Segment uses to connect to your warehouse. Be sure to use a strong, unique password.
+Create the user that Segment uses to connect to your warehouse. You can create a user that authenticates with a key pair, or you can create a user that authenticates using a password. Segment recommends creating a user that will authenticate with an encrypted key pair.
+
+#### Create a user that authenticates with a key pair
+If you are creating a user that will use a key pair to authenticate, you first must create a public key, and then can create a new user. 
+
+##### Generate a key
+
+To start, open a terminal window and generate a private key by running the following command, replacing `key_name` with the name you'd like to give the key. The command generates a private key in PEM format, and will prompt you to enter a passphrase. Write down or remember this passphrase, as you will need it when creating your Segment user and configuring your destination in the Segment app.
+
+> success ""
+> If you want to generate an unencrypted key, append `-nocrypt` to the end of the command.
+
+```
+openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out key_name.p8
+```
+
+After you've created the private key, save the file to a local directory. You'll need to upload the .p8 file to the Segment app when you create your Snowflake destination. 
+
+Next, generate your public key by running the following command, replacing `key_name.p8` with the name of the private key that you previously created and `public_key_name` with the name of your new public key. 
+
+```
+openssl rsa -in key_name.p8 -pubout -out public_key_name.pub
+```
+
+After you've created the public key, save the file to a local directory. 
+
+##### Generate a new user and assign the key to them
+
+Now, create a new user by executing the following SQL command, replacing the public key value with the key you previously generated. If you generated an unencrypted key, omit the `RSA_PUBLIC_KEY_FP` value, as it is only required for encrypted keys.
+
+``` sql
+CREATE USER SEGMENT_USER 
+  DEFAULT_ROLE = "SEGMENT"
+  RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...'
+  RSA_PUBLIC_KEY_FP = 'enter the passphrase you created';
+GRANT ROLE "SEGMENT" TO USER "SEGMENT_USER";
+```
+
+#### Create a user that authenticates with a username and password
+If you are creating a user that will use a username and password to authenticate, execute the following SQL command. Be sure to set a strong, unique password.
 
 ```sql
 CREATE USER "SEGMENT_USER"
@@ -98,8 +137,12 @@ GRANT ROLE "SEGMENT" TO USER "SEGMENT_USER";
 
 ### Step 5: Test the user and credentials
 
-Before you continue, test and validate the new user and credentials. When you can run the following commands successfully, you can connect Snowflake to Segment.
+Before you continue, test and validate the new user and credentials. After you verify the new credentials, you can connect Snowflake to Segment.
 
+#### Test a key pair
+To verify that you've configured the key pair correctly, follow Snowflake's instructions in the [Verify the user's public key fingerprint](https://docs.snowflake.com/en/user-guide/key-pair-auth#verify-the-user-s-public-key-fingerprint){:target="_blank"} documentation. 
+
+#### Test a username and password
 Segment uses [SnowSQL](https://docs.snowflake.com/en/user-guide/snowsql){:target="_blank"} to run these verification steps.
 To install SnowSQL and verify your accounts:
 
@@ -167,12 +210,20 @@ After configuring your Snowflake resources, connect them to Segment.
 
 1. In the Segment App, select Add Destination.
 2. Search for and select "Snowflake".
-3. Add your credentials as follows:
-  - **User**: The user name that you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
-  - **Password**: The password that you set in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
+3. Enter a name for your destination.
+4. Enter your Snowflake credentials as follows:
   - **Account**: The account id of your cluster, not the url (for example, url: `my-business.snowflakecomputing.com`, account-id: `my-business`. **Note:** If you are using Snowflake on AWS, the account id includes the region. For example, your url might be: `my-business.us-east-1.snowflakecomputing.com/` and your account-id would be: `my-business.us-east-1`)
-  - **Database**: The database name that you created in [Step 2: Create database](#step-2-create-database)
   - **Warehouse**: The name of the warehouse that you created in [Step 1: Create a virtual warehouse](#step-1-create-a-virtual-warehouse)
+  - **Database**: The database name that you created in [Step 2: Create database](#step-2-create-database)
+  - **Username**: The username that you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
+  - **Authentication method**: Select the authentication method that you used when creating a user in [Step 4: Create a user for Segment](#step-4-create-user-for-segment). You can select either Key pair or Password. 
+  
+  If you selected Key pair as your authentication method: 
+  - **Private key**: Upload your private key (stored in .p8 format) that you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
+  - **Passphrase** _(Optional)_ : If you created an encrypted key, enter the passphrase you created in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
+  
+  If you selected Password as your authentication method:
+  - **Password**: The password that you set in [Step 4: Create a user for Segment](#step-4-create-user-for-segment)
 
 ## Security
 
@@ -188,6 +239,10 @@ At this time, the Segment Snowflake destination is not compatible with Snowflake
 
 ## Best Practices
 
+### Key pair authentication
+
+Segment recommends that you authenticate with your Snowflake warehouse using key-pair authentication. Key-pair authentication uses PKCS#8 private keys, which are typically exchanged in the PEM base64-encoded format. 
+
 ### Auto Suspend and Auto Resume
 
 Set `AUTO_SUSPEND` to ~10 minutes in the UI (or 600 if using SQL) to minimize the credit consumption of Segment's syncing process.
@@ -249,3 +304,7 @@ Queuing - you can use a different Warehouse for Segment, or use the recommendati
 {% include content/warehouse-sync-sched.md %}
 
 ![sync schedule image](/docs/connections/destinations/catalog/images/syncsched.png)
+
+### I'm running into a "JWT token is invalid" error. What do I do?
+
+For more information about troubleshooting a `JWT token is invalid` error, see Snowflake's [Key Pair Authentication: Troubleshooting](https://docs.snowflake.com/user-guide/key-pair-auth-troubleshooting){:target="_blank”} documentation. 
