snowflakedb / snowflake-connector-net

Snowflake Connector for .NET
Apache License 2.0
180 stars 138 forks source link

SNOW-1674771: Key-Pair Authenticator: Accept a RSA Object instead of a string #1027

Open HRusby opened 2 months ago

HRusby commented 2 months ago

What is the current behavior?

Currently in order to connect to Snowflake via the Key-Pair Authenticator, you must pass the RSA Private Key as a string in to the Connection String.

What is the desired behavior?

Similarly to the PythonConnector it should be possible to pass an RSA Object into the Authenticator such that we don't need to store the private key as plaintext.

How would this improve snowflake-connector-net?

This would enable more secure workflows where the RSA Private Key is stored in a KeyVault (e.g. Azure Key Vault) that do not allow the private key to be retrieved.

From an initial look at the code, I suspect the RSA Object could be added to the SFSession object which would make it available in the KeyPairAuthenticator. I would expect the RSA object it takes to be a System.Security.Cryptography.RSA

sfc-gh-dszmolka commented 2 months ago

thank you for your suggestion - the team will consider for future plans. No timeline estimated for the implementation. If the change is important for you, do reach out to your Account Team please and let them know of this requirement. They can help prioritising requests which are required by many customers.