private key loading errror

Question

private key loading errror

Closed this issue 5 months ago · 1 comments

Describe the bug
Per documentation https://github.com/Snowflake-Labs/schemachange?tab=readme-ov-file#private-key-authentication, schemachange supports private key auth, but I am running into an issue where it gets into error load the private key.

To Reproduce
Steps to reproduce the behavior:

Generate key pairs using openssl on linux

Generate the private key and save it to rsa_key.p8

openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -v1 PBE-SHA1-3DES -out rsa_key.p8

Extract the public key from rsa_key.p8 and save it to rsa_key.pub

openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

Define environmen vars to store the key contents
SNOWFLAKE_AUTHENTICATOR: "snowflake"
SNOWFLAKE_PRIVATE_KEY_PATH: "/tmp/snowflake_private_key.pem"
SNOWFLAKE_PRIVATE_KEY_PASSPHRASE: "11"
SNOWFLAKE_PRIVATE_KEY_CONTENT: "/snowflake/svc/private_key:rsa_key"
Dump contents of private key into a file
- echo "Creating private key file from secret content"
- echo "$SNOWFLAKE_PRIVATE_KEY_CONTENT" > $SNOWFLAKE_PRIVATE_KEY_PATH
- chmod 600 $SNOWFLAKE_PRIVATE_KEY_PATH
Run schemachange tool
- schemachange -f ./MY_DB -a $SF_ACCOUNT -u $SF_USERNAME -r $SF_ROLE -w $SF_WAREHOUSE -d $SF_DATABASE $DRY_RUN --verbose

Expected behavior
schemachagne is able to connect to database and deploy changes

Error

Proceeding with private key authentication
186 | Traceback (most recent call last):
187 | File "/root/.pyenv/versions/3.11.8/bin/schemachange", line 8, in
188 | sys.exit(main())
189 | ^^^^^^
190 | File "/root/.pyenv/versions/3.11.8/lib/python3.11/site-packages/schemachange/cli.py", line 1309, in main
191 | deploy_command(config)
192 | File "/root/.pyenv/versions/3.11.8/lib/python3.11/site-packages/schemachange/cli.py", line 601, in deploy_command
193 | session = SnowflakeSchemachangeSession(config)
194 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
195 | File "/root/.pyenv/versions/3.11.8/lib/python3.11/site-packages/schemachange/cli.py", line 283, in init
196 | if self.set_connection_args():
197 | ^^^^^^^^^^^^^^^^^^^^^^^^^^
198 | File "/root/.pyenv/versions/3.11.8/lib/python3.11/site-packages/schemachange/cli.py", line 429, in set_connection_args
199 | p_key = serialization.load_pem_private_key(
200 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
201 | File "/root/.pyenv/versions/3.11.8/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 494, in _handle_key_loading_error
202 | raise ValueError(
203 | ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])
204 |
205 | [Container] 2024/07/29 20:43:24.796173 Command did not exit successfully schemachange -f ./C2C_DB -a $SF_ACCOUNT -u $SF_USERNAME -r $SF_ROLE -w $SF_WAREHOUSE -d $SF_DATABASE $DRY_RUN --verbose exit status 1
206 | [Container] 2024/07/29 20:43:24.799926 Phase complete: BUILD State: FAILED
207 | [Container] 2024/07/29 20:43:24.799945 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: schemachange -f ./C2C_DB -a $SF_ACCOUNT -u $SF_USERNAME -r $SF_ROLE -w $SF_WAREHOUSE -d $SF_DATABASE $DRY_RUN --verbose. Reason: exit status 1
208

Screenshots

Schemachange (please complete the following information):

Version: 3.7.0

Additional context
Supplied

What types of private key is supported? Do I have to put entire key file contents or remove header and footer, new lines?

Answer 1 · 2024-07-31T23:46:50.000Z

This was resolved by encoding the private key as base64 and removing new lines from base64 encoded file using following steps:

private key must be in pkcs8 format
base64 encode it using
base64 id_rsa2 > id_rsa2_base64

copy back to windows machine and open in notepad++
remove newline chars from base64 encoded file to convert to a long string
save that as env var in secrets manager
SNOWFLAKE_PRIVATE_KEY_CONTENT: "/snowflake/svc/private_key:rsa_key_pkcs8_base64"

in ci/cd pipeline
create a temp file and dump contents of the private key secret after doing base64 decode

env vars:
SNOWFLAKE_PRIVATE_KEY_PATH: "/tmp/snowflake_private_key_pkcs8"
SNOWFLAKE_PRIVATE_KEY_CONTENT: "/snowflake/svc/private_key:rsa_key_pkcs8_base64"

commands:
- echo "$SNOWFLAKE_PRIVATE_KEY_CONTENT" | base64 --decode > $SNOWFLAKE_PRIVATE_KEY_PATH
- chmod 600 $SNOWFLAKE_PRIVATE_KEY_PATH
- echo "Verifying private key file creation"
- ls -l $SNOWFLAKE_PRIVATE_KEY_PATH
- schemachange -f ./DB -a $SF_ACCOUNT -u $SF_USERNAME -r $SF_ROLE -w $SF_WAREHOUSE -d $SF_DATABASE $DRY_RUN --verbose

schemachage should use private key auth now