Overview

This guide walks you through connecting Triple Whale to your Snowflake account using key pair authentication instead of a password or PAT token.

Key pair auth is Snowflake’s recommended method for service connections: a private key stays on your side, only its public half is registered in Snowflake, and no secret ever travels over the network during sign-in.

There are three steps:

Generate a key pair (on your computer) — 3 terminal commands.
Register the public key in Snowflake — 1 SQL command.
Verify it works — 1 SQL command.

Then you hand Triple Whale the private key through the connection form.

You will create two files: a private key (your secret — never share it) and a public key (safe to share — this is what goes into Snowflake).

Step 1 — Generate the key pair (terminal)

Open a terminal (macOS / Linux) and run these three commands. They create a folder, a private key, and the matching public key.

1. Create a folder to hold the keys

mkdir -p ~/snowflake-keys && cd ~/snowflake-keys

2. Generate the PRIVATE key (PKCS#8 format, unencrypted)

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

3. Extract the matching PUBLIC key

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

Expected output — step 3 prints a single line, and both files now exist:

writing RSA key

ls -la ~/snowflake-keys
# -rw-------  rsa_key.p8    ← PRIVATE key (your secret)
# -rw-r--r--  rsa_key.pub   ← PUBLIC key  (safe to share)

Want the key encrypted with a passphrase? (recommended for production) Replace -nocrypt in command 2 with -v2 aes-256-cbc — OpenSSL will prompt for a passphrase. You’ll then also provide that passphrase to Triple Whale alongside the key.

Step 2 — Register the public key in Snowflake (SQL)

Snowflake wants the public key as one continuous line, without the BEGIN/END header lines.

Produce that string:

grep -v "PUBLIC KEY" ~/snowflake-keys/rsa_key.pub | tr -d '\n'; echo

Expected output — one long line of letters/numbers (yours will differ):

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv63HCz2B+IDJM... (continues) ...rwIDAQAB

Copy that line. Then in Snowflake (Snowsight → + → SQL File), run — replacing YOUR_USERNAME with your Snowflake username and pasting your public key string:

ALTER USER YOUR_USERNAME SET RSA_PUBLIC_KEY='<paste-the-one-line-public-key-here>';

Expected output:

Statement executed successfully.

Don’t know your username? Run SELECT CURRENT_USER(); first. Permission error on ALTER USER? You need a role allowed to alter the user (e.g. ACCOUNTADMIN, or the user altering their own key). Switch role and retry.

Step 3 — Verify the public key was registered (SQL)

DESC USER YOUR_USERNAME;

Expected output — look for the row RSA_PUBLIC_KEY_FP. Its value should be a fingerprint, not null:

property            value                                                   -------------------  ---------------------------                 RSA_PUBLIC_KEY_FP   SHA256:abc123def456.....=

If RSA_PUBLIC_KEY_FP shows a SHA256:... value, the key is registered correctly. ✅

Step 4 — Gather your connection details

You’ll need these for the Triple Whale connection form. Run this in Snowflake:

SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME() AS account_identifier,       
CURRENT_USER()                                         AS username,                                   CURRENT_WAREHOUSE()                                    AS warehouse;

Expected output (example):

ACCOUNT_IDENTIFIER   USERNAME   WAREHOUSE                                    -------------------- ---------- -----------                                   XCIDOZG-LX35517      SHIMONTW   COMPUTE_WH

If WAREHOUSE comes back empty, run SHOW WAREHOUSES; and pick any name from the list.

You will also need your Database and Schema names (the ones you want Triple Whale to write to).

Step 5 — Connect in Triple Whale

In the Triple Whale Snowflake connection form, choose the Key Pair authentication option and fill in:

In Triple Whale, go to Data > Integrations.
Locate Snowflake and click Connect.
Click the Use alternative connection method link at the bottom of the connection screen to choose the Key Pair option.
Enter your connection details AccountId,Warehouse, Database, Schema, Username, Role, Private Key
Click Save.

Field	Value
Account	from Step 4 (e.g. `XCIDOZG-LX35517`)
Username	from Step 4 (e.g. `SHIMONTW`)
Warehouse	from Step 4 (e.g. `COMPUTE_WH`)
Database	the database to write to
Schema	the schema to write to
Role	the role to use (e.g. `ACCOUNTADMIN`)
Private Key	paste the entire contents of `rsa_key.p8` (including the `-----BEGIN/END PRIVATE KEY-----` lines)

To print the private key for copying:

cat ~/snowflake-keys/rsa_key.p8

Security: the private key is a secret — handle it like a password. Triple Whale stores it the same way it stores a connection password or token. Never commit it to git or share it over chat/email. You alone hold it; you can rotate it at any time by generating a new pair and re-running Step 2 with the new public key — which immediately invalidates the old one on Snowflake’s side.

Troubleshooting

Symptom	Cause / Fix
`JWT token is invalid` on connect	Public key in Snowflake doesn’t match the private key you provided. Re-run Step 2 with the public key derived from this private key.
`User ... not found` / auth fails	Username mismatch, or `ALTER USER` was run against a different user. Verify with `DESC USER`.
`RSA_PUBLIC_KEY_FP` is null in Step 3	The `ALTER USER` didn’t apply. Re-run it; check you have permission.
Pasted key has extra spaces/line breaks	The public key string in Step 2 must be one line with no `BEGIN/END` and no spaces.

Onboarding Guide: Account Setup

Creating and Managing API Keys

Snowflake Integration

Connect Snowflake to Triple Whale with a programmatic access token (PAT)

Connect Snowflake to Triple Whale with a username and password

Snowflake Key Pair Authentication — Setup Guide