I recently had to load data into Snowflake from a headless EC2 Linux 2023 instance. Easy, right? Until you realize that your org uses Okta SSO and SnowSQL’s go-to option is –authenticator externalbrowser. Great—except there’s no browser on this box.
After trying a few dead ends (including looking for a magical –output oauth flag that doesn’t exist), I landed on something that actually works and is secure: key pair authentication using JWT.
If you’re in the same boat—headless machine, no browser, and no interest in storing passwords—this is for you.
Step 1: Generate a Private/Public Key Pair on Your EC2 Instance
mkdir -p ~/.snowflake
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out ~/.snowflake/rsa_key.p8 -nocrypt
openssl rsa -in ~/.snowflake/rsa_key.p8 -pubout -out ~/.snowflake/rsa_key.pub
chmod 600 ~/.snowflake/rsa_key.p8This gives you a PEM-formatted, unencrypted private key that Snowflake can work with.
Step 2: Add the Public Key to Your Snowflake User
Grab the base64-encoded key from rsa_key.pub (strip headers and line breaks):
grep -v -- 'BEGIN\|END' ~/.snowflake/rsa_key.pub | tr -d '\n'Then in Snowflake (you’ll need admin permissions):
ALTER USER your_user_name SET RSA_PUBLIC_KEY='MIIBIjANBgkqhkiG...';Confirm it with:
DESC USER your_user_name;You should see your RSA public key listed.
Step 3: Update Your SnowSQL Config
In ~/.snowsql/config, define a new connection:
[connections.ec2]
accountname = youraccount.region
username = your_user_name
authenticator = SNOWFLAKE_JWT
private_key_path = /home/ec2-user/.snowflake/rsa_key.p8The important piece here is:
authenticator = SNOWFLAKE_JWTI lost an hour trying authenticator = snowflake before realizing this is what enables key pair-based login.
Step 4: Connect from SnowSQL
Now you can run:
snowsql -c ec2And you’re in. No browser, no passwords, no problems.
Why This Works
Snowflake supports JWT-based authentication using a private key registered to a user. Behind the scenes, the SnowSQL client signs a JWT with your key, Snowflake verifies it, and you’re authenticated.
It’s secure, works great in CI/CD or scripts, and you don’t have to hardcode any secrets into your environment. If your job involves headless environments and enterprise SSO, this is the cleanest way I’ve found to bridge that gap. Happy querying.