Skip to main content
Domo Knowledge Base

Snowflake KeyPair Partition Connector

Version 2



The Domo Snowflake KeyPair Partition makes it easy to bring all your data from your Snowflake data warehouse into Domo based on the number of past days provided. If you are already using Snowflake as a data warehousing solution, this connector helps you use Domo in conjunction with it to get the most from your data. To use this connector, you must have your Snowflake account name (domain) and the username and private key for your Snowflake account. Use Domo's Snowflake KeyPair Partition connector to maximize your cloud data strategy by connecting your data to Domo and making it instantly accessible to everyone in your company.
Once your Snowflake data is in Domo, you can combine it with all your other Domo data to get a centralized view of your most mission-critical data. You connect to your Snowflake database in the Data Center. This topic discusses the fields and menus that are specific to the Snowflake KeyPair Unload V2 connector user interface. General information for adding DataSets, setting update schedules, and editing DataSet information is discussed in Adding a DataSet Using a Data Connector.


To connect to a Snowflake database and create a DataSet, you must have the following:

  • The full name of your account (provided by Snowflake). This is the portion of your Snowflake URL immediately following https://.
    Note that your full account name may include additional segments that identify the region and cloud platform where your account is hosted. For US West Region account_name and All other regions account_name.region_id. The following table provides account name examples by cloud platform/region. For each row, it assumes your account name is "xy12345."


  • The username used to connect to your Snowflake host.

  • The private key.

  • The passphrase. If you create an encrypted private key, then OpenSSL prompts for a passphrase used to encrypt the private key file.

  • The name for your role.
  • Your AWS access key. It is available in the AWS Console in the Security Credentials section or under Users if you are using IAM.

  • Your AWS secret key. was provided when you created your Access Key. You can generate a new one in the AWS Console.

  • The name of the AWS S3 bucket that your Snowflake data will be unloaded into.

  • Your Amazon S3 Region.

Configuring the public/private key pair

To configure the public/private key pair, follow these steps:

  1. From the command line in a terminal window, generate a private key.
    You can generate either an encrypted version of the private key or an unencrypted version of the private key.
    • To generate an unencrypted version, use the following command:

      $ openssl genrsa -out rsa_key.pem 2048
    • To generate an encrypted version, use the following command:

      $ openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8

      It is typically safer to generate an encrypted version.

      If you use the second command to encrypt the private key, then OpenSSL prompts for a passphrase used to encrypt the private key file. We recommend using a strong passphrase to protect the private key. Record this passphrase in a secure location. You will input it when connecting to Snowflake. Note that the passphrase is only used for protecting the private key and will never be sent to Snowflake.

      The following is a sample PEM private key:


  2. From the command line, generate the public key by referencing the private key. Assuming the private key is encrypted and contained in the file named “rsa_key.p8”, use the following command:

    $ openssl rsa -in rsa_key.p8 -pubout -out

     The following is a sample PEM public key:

    -----BEGIN PUBLIC KEY-----
    -----END PUBLIC KEY-----

  3. Copy the public and private key files to a local directory for storage. Record the path to the files. Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step; however, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.

  4. Assign the public key to the Snowflake user using ALTER USER. For example:

    alter user jsmith set rsa_public_key='MIIBIjANBgkqh...';

    Note: Only security administrators (i.e. users with the SECURITYADMIN role) or higher can alter a user. Exclude the public key header and footer in the SQL statement.

  5.  Verify the user’s public key fingerprint using DESCRIBE USER:
    Property Value Default Description
    Name JSMITH null Name
    RSA_PUBLIC_KEY_FP SHA256:nvnONUsfiuycCLMXIEWG4eTp4FjhVUZQUQbNpbSHXiA= null Fingerprint of user's RSA public key.
    RSA_PUBLIC_KEY_2_FP  null null Fingerprint of user's second RSA public key.

    Note: For more information about the RSA_PUBLIC_KEY_2_FP property, see Key Rotation

  6. Modify and execute the sample code, below. The code decrypts the private key file and passes it to the Snowflake driver to create a connection:
    • Update the security parameters:
      • <path> specifies the local path to the private key file you created.
    • Update the session parameters:
      • <user> specifies your Snowflake login name.
      • <account> specifies the name of your account (provided by Snowflake).
    • The sample code is as follows:

      import java.util.Properties;
      import java.sql.Connection;
      import java.sql.Statement;
      import java.sql.ResultSet;
      import java.sql.DriverManager;
      import java.util.Base64;
      import javax.crypto.EncryptedPrivateKeyInfo;
      import javax.crypto.SecretKeyFactory;
      import javax.crypto.spec.PBEKeySpec;

      public class TestJdbc
          public static void main(String[] args)
              throws Exception
            File f = new File("<path>/rsa_key.p8");
            FileInputStream fis = new FileInputStream(f);
            DataInputStream dis = new DataInputStream(fis);
            byte[] keyBytes = new byte[(int) f.length()];

            String encrypted = new String(keyBytes);
            String passphrase = System.getenv("PRIVATE_KEY_PASSPHRASE");
            encrypted = encrypted.replace("-----BEGIN ENCRYPTED PRIVATE KEY-----", "");
            encrypted = encrypted.replace("-----END ENCRYPTED PRIVATE KEY-----", "");
            EncryptedPrivateKeyInfo pkInfo = new EncryptedPrivateKeyInfo(Base64.getMimeDecoder().decode(encrypted));
            PBEKeySpec keySpec = new PBEKeySpec(passphrase.toCharArray());
            SecretKeyFactory pbeKeyFactory = SecretKeyFactory.getInstance(pkInfo.getAlgName());
            PKCS8EncodedKeySpec encodedKeySpec = pkInfo.getKeySpec(pbeKeyFactory.generateSecret(keySpec));
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey encryptedPrivateKey = keyFactory.generatePrivate(encodedKeySpec);

            String url = "jdbc:snowflake://<account>";
            Properties prop = new Properties();
            prop.put("user", "<user>");
            prop.put("account", "<account>");
            prop.put("privateKey", encryptedPrivateKey);

            Connection conn = DriverManager.getConnection(url, prop);
            Statement stat = conn.createStatement();
            ResultSet res = stat.executeQuery("select 1");

Key Rotation

Snowflake supports multiple active keys to allow for uninterrupted rotation. Rotate and replace your public and private keys based on the expiration schedule you follow internally.

Currently, you can use the RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 parameters for ALTER USER to associate up to 2 public keys with a single user.

To rotate your keys,

  1. Complete the steps in Using Key Pair Authentication to...
    • Generate a new private and public key set.
    • Assign the public key to the user. Set the public key value to either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2 (whichever key value is not currently in use).
      For example:

      alter user jsmith set rsa_public_key_2='JERUEHtcve...';
  2. Update the code to connect to Snowflake. Specify the new private key.
    Snowflake verifies the correct active public key for authentication based on the private key submitted with your connection information.
  3. Remove the old public key from the user profile. For example:

    alter user jsmith unset rsa_public_key;

Connecting to Your Snowflake Account

This section enumerates the options in the Credentials and Details panes in the Snowflake KeyPair Partition Connector page. The components of the other panes in this page, Scheduling and Name & Describe Your DataSet, are universal across most connector types and are discussed in greater length in Adding a DataSet Using a Data Connector.

Credentials Pane

This pane contains fields for entering credentials to your Snowflake account. The following table describes what is needed for each field:  



Account Name Enter the full name of your account (provided by Snowflake.) For US West Region account_name and All other regions account_name.region_id
Username Enter the username used to connect to your Snowflake host.
Private Key Enter the private key.
Passphrase If you create an encrypted private key, then OpenSSL prompts for a passphrase used to encrypt the private key file. Enter that passphrase here.
Role Enter the name for your role.

Once you have entered valid credentials, you can use the same account any time you to create a new Snowflake KayPair Partition dataset. You can manage connector accounts in the Accounts tab in the Data Center. For more information about this tab, see Managing User Accounts for Connectors.

Details Pane

This pane contains a primary Reports menu, along with various other menus which may or may not appear depending on the report type you select.




Enter the query to execute. The query format must be like: select * from databaseName.schemaName.tableName


Select the warehouse containing the data you want to retrieve. The list populates with all warehouses you have access to based on your credentials.  


Select the database containing the data you want to retrieve.  The list populates with all databases you have access to based on your credentials.


Select the database schema containing the data you want to retrieve. The list populates with all schemas you have access to based on your credentials.  

Database Objects

Select a database object.


Select the database table you want to retrieve.

Table Partition Column Name

Select the partition column name.


Select the view.

View Partition Column Name

Select the partition column name.

Past Days Enter the number of past days that you want to get data for. Value can be X, where X is a positive integer. Example: 30.
Date Format Select the required date format. By default yyyy-MM-dd will be used.
Custom Date Format Enter the custom date format.

Other Panes

For information about the remaining sections of the connector interface, including how to configure scheduling, retry, and update options, see Adding a DataSet Using a Data Connector.


Are there any API limits I should be aware of?

The limits depend on your server configuration.

How frequently will my data update?

DataSets can run as often as every 15 minutes. However, depending on the runtime of the query, DataSets may need to run less frequently.

What should I be aware of while writing a query?

Make sure that all the words, table names, and field names are correctly spelled. Refer to the Query Helper field for query help.

Why can't I connect to my Snowflake database? Do I need to whitelist any IP addresses?

Before you can connect to a Snowflake database, you must also whitelist a number of IP addresses on your database server on the port you want to connect to. For the full list of IP addresses, see Whitelisting IP Addresses in Domo.


  • Make sure your authentication remains valid.
  • Review the configuration to make sure that all required items have been selected.
  • Review the Connector history for error messages.
  • In rare cases, you may be requesting too much information and reaching API limitations or timeouts. If this is the case, you can review the history of the Connector run to see the error message and duration. If this is the case, you can reduce the number of accounts that are being pulled, choose a smaller number of metrics for the report that you are pulling, or reduce the timeframe that you are trying to pull.