Migrating GitHub Actions from Password to Key-Pair Authentication

Migrate Snowflake integration tests to GitHub Actions using key-pair authentication.

Table of contents

  1. Why Migrate?
  2. Migration Steps
    1. 1. Generate Key Pair
    2. 2. Configure Snowflake
    3. 3. Update GitHub Secrets
    4. 4. Update Your Workflow
    5. 5. Test the Migration
  3. Troubleshooting
    1. “Failed to load private key”
    2. “Authentication failed”
    3. “Invalid private key”
  4. Best Practices
  5. Example GitHub Actions Configuration
  6. Support

This guide helps you migrate your GitHub Actions workflows from password-based authentication to key-pair authentication for Snowflake, which is required when MFA is enabled.

Why Migrate?

  • MFA Enforcement: Snowflake accounts with MFA enabled cannot use password authentication in CI/CD
  • Security: Key-pair authentication is more secure than storing passwords
  • Future-Proof: Snowflake is phasing out password authentication for programmatic access by November 2025

Migration Steps

1. Generate Key Pair

Run the setup script on your local machine:

python scripts/setup-snowflake-keypair.py

This will:

  • Generate an RSA private/public key pair
  • Save them to ~/.snowflake/ directory
  • Create SQL statements for Snowflake configuration

2. Configure Snowflake

Execute the generated SQL in Snowflake as ACCOUNTADMIN or with appropriate privileges:

-- Set the public key for your CI/CD user
ALTER USER github_actions_user SET RSA_PUBLIC_KEY='<your_public_key_content>';

-- Verify the key was set
DESC USER github_actions_user;

3. Update GitHub Secrets

  1. Go to your repository on GitHub
  2. Navigate to Settings > Secrets and variables > Actions
  3. Delete the old SNOWFLAKE_PASSWORD secret (if exists)
  4. Create a new secret:
    • Name: SNOWFLAKE_PRIVATE_KEY
    • Value: Copy the entire content of your private key file (including headers)

Example private key format:

-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA0i365dQErWgl4zo7+YdabqFK17B8uz81Z+vTTYJBs3HwZrkc
... (key content) ...
-----END RSA PRIVATE KEY-----

4. Update Your Workflow

The Snowflake integration workflow has been updated to use key-pair authentication. No changes needed if you’re using the standard workflow.

If you have custom workflows, update them to:

Before (Password Authentication):

env:
  SNOWFLAKE_PASSWORD: $

After (Key-Pair Authentication):

env:
  SNOWFLAKE_PRIVATE_KEY: $

5. Test the Migration

  1. Push a small change to trigger the workflow
  2. Check the workflow logs for successful Snowflake connection
  3. Verify tests are passing

Troubleshooting

“Failed to load private key”

  • Ensure you copied the entire private key content including headers
  • Check that the key is in PEM format (starts with -----BEGIN RSA PRIVATE KEY-----)
  • Verify no extra whitespace or line breaks were added

“Authentication failed”

  • Verify the public key was correctly set in Snowflake
  • Ensure the user account exists and is active
  • Check that the account identifier is correct

“Invalid private key”

  • The key pair might not match - regenerate both keys
  • Ensure you’re using the correct private key for the configured public key

Best Practices

  1. Rotate Keys Regularly: Generate new key pairs every 90 days
  2. Use Separate Keys: Don’t reuse keys across different environments
  3. Secure Storage: Never commit private keys to version control
  4. Minimal Permissions: Grant only necessary permissions to CI/CD users

Example GitHub Actions Configuration 

- name: Run Snowflake Tests
  env:
    SNOWFLAKE_ACCOUNT: $
    SNOWFLAKE_USER: $
    SNOWFLAKE_PRIVATE_KEY: $
    SNOWFLAKE_DATABASE: TEST_DB
    SNOWFLAKE_WAREHOUSE: COMPUTE_WH
  run: |
    pytest tests/integration/ -m "snowflake"

Support

If you encounter issues:

  1. Check the Snowflake MFA CI/CD documentation
  2. Review the setup script
  3. Open an issue on GitHub with error details