0

So I have a Snowflake instance I am trying to setup for (pub/priv) key authentication for each user w/ key rotation.

Every user has a akeyless account and I'm new to akeyless/secret mgmt systems in general. After reading the docs though I feel more lost.

At first glance it seems that I should create a static secret for each user, store the public key in the sf db and store the private in the akeyless static...but as I look more into rotated secrets and encryption keys it feels that I could let akeyless take care of the actual rotation and generation. Would like to hear the communities experience and findings with this.

Thanks in advance!

Kenneth Cox
  • 84
  • 1
  • 6
  • 1
    Key/pair authentication is more appropriate for when using drivers/connectors rather than regular users. I'm not saying it's not possible, but it feels indeed a bit overhead work to configure it for all users. Have you thought about other authentication options for regular users, like SSO, MFA, etc? – Sergiu Nov 08 '22 at 09:25
  • @Sergiu I see what you are saying....Im new to the Cloud Dev position so I am trying to figure it out. It seems to be more of a can we do it R&D project right now. You made a good point and what is frankly confusing to me is that we use SSO for Snowflake currently...... When I get a better understanding I will update this answer. – Kenneth Cox Nov 08 '22 at 16:29

1 Answers1

1

I am not sure how you have set up your snowflake within Akeyless, but the idea is to store in Akeyless a strong user with permissions to your snowflake account to be able to create for you just in time secrets for your users (aka dynamic secrets). Now even easier way, is to create a Target first that will be able to connect to your snowflake account, and then have several Dynamic secrets pointing to that Target, and each one of those DS, will grant a different permissions level to snowflake. To complete the security part, using the RBAC model, you can define which user can have access (e.g. based on his email or on a group) to which DS.

Hope this info will be helpful

Barak Abekasis
  • 11
  • 1