SNOW-1674771: Key-Pair Authenticator: Accept a RSA Object instead of a string

[HRusby]

What is the current behavior?

Currently in order to connect to Snowflake via the Key-Pair Authenticator, you must pass the RSA Private Key as a string in to the Connection String.

What is the desired behavior?

Similarly to the PythonConnector it should be possible to pass an RSA Object into the Authenticator such that we don't need to store the private key as plaintext.

How would this improve snowflake-connector-net?

This would enable more secure workflows where the RSA Private Key is stored in a KeyVault (e.g. Azure Key Vault) that do not allow the private key to be retrieved.

From an initial look at the code, I suspect the RSA Object could be added to the SFSession object which would make it available in the KeyPairAuthenticator. I would expect the RSA object it takes to be a System.Security.Cryptography.RSA

[sfc-gh-dszmolka]

thank you for your suggestion - the team will consider for future plans. No timeline estimated for the implementation. If the change is important for you, do reach out to your Account Team please and let them know of this requirement. They can help prioritising requests which are required by many customers.

[garantir-km]

We would like to second this request and we have partners that also need this feature. As it is currently, keypair authentication must use software-based private keys which is insecure. Please allow us to use any RSA object, instead of only supporting something specific like Azure Key Vault. Users may want to use a YubiKey, an HSM, AWS KMS, or something else. It would be great to see this implemented consistently across all the connectors.

[sfc-gh-dszmolka]

Please by all means, let your Snowflake Account Team know (SPOC: your Sales representative) and ask your Partners to do the same. The more inputs we have a particular feature requests, especially if use-cases are attached too, the better we can prioritize the work for our relevant team(s). Thank you in advance !

[sfc-gh-dszmolka]

For all the people watching this: please take a look at new authentication methods implemented since this issue was raised.

• PAT - https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
• WIF - https://docs.snowflake.com/en/user-guide/workload-identity-federation
  perhaps it can be an alternative.