Snowflake Key Pair Rotation Tool for Hevo Data destinations
Project description
Snowflake Key Pair Rotation Tool
Automates Snowflake key-pair authentication setup and rotation with Hevo Data destinations.
Installation
From PyPI (Recommended)
pip install sf-rotation
From GitHub
pip install git+https://github.com/Legolasan/sf_rotation.git
From Source
git clone https://github.com/Legolasan/sf_rotation.git
cd sf_rotation
pip install .
Development Mode
git clone https://github.com/Legolasan/sf_rotation.git
cd sf_rotation
pip install -e .
Configuration
- Create a config file based on the example:
mkdir -p config
curl -o config/config.yaml https://raw.githubusercontent.com/Legolasan/sf_rotation/main/config/config.yaml.example
- Edit
config/config.yamlwith your credentials:
- Snowflake account URL, admin credentials, target user
- Hevo API credentials and destination details
- Key encryption preferences
Usage
Command Line Interface
After installation, the sf-rotation command is available:
# Initial setup (creates new Hevo destination, saves destination_id to config)
sf-rotation setup --config config/config.yaml
# Update keys for existing destination (requires destination_id in config)
sf-rotation update-keys --config config/config.yaml
# Key rotation (for ongoing key rotations)
sf-rotation rotate --config config/config.yaml
# With encrypted private key
sf-rotation setup --config config/config.yaml --encrypted
Commands Overview
| Command | Description | Creates Hevo Destination? |
|---|---|---|
setup |
Initial setup - creates new Hevo destination | Yes |
update-keys |
Update keys for existing Hevo destination | No (requires destination_id) |
rotate |
Rotate keys with zero-downtime | No (requires destination_id) |
As Python Module
python -m sf_rotation setup --config config/config.yaml
python -m sf_rotation rotate --config config/config.yaml
Programmatic Usage
from sf_rotation import KeyGenerator, SnowflakeClient, HevoClient
# Generate keys (returns: private_key_path, public_key_path, backup_path)
generator = KeyGenerator(output_directory="./keys")
private_key_path, public_key_path, backup_path = generator.generate_key_pair(
key_name="rsa_key",
encrypted=False
)
# Connect to Snowflake
sf_client = SnowflakeClient(
account_url="your_account.snowflakecomputing.com",
username="admin",
password="password"
)
# Set public key for user
public_key = generator.read_public_key(public_key_path)
formatted_key = generator.format_public_key_for_snowflake(public_key)
sf_client.set_rsa_public_key("target_user", formatted_key)
# Create Hevo destination
hevo = HevoClient(
base_url="https://us.hevodata.com",
username="hevo_user",
password="hevo_pass"
)
private_key = generator.read_private_key(private_key_path)
hevo.create_destination(
name="my_snowflake",
account_url="your_account.snowflakecomputing.com",
warehouse="WAREHOUSE",
database_name="DATABASE",
database_user="target_user",
private_key=private_key
)
Features
- Generate RSA 2048-bit key pairs (encrypted or non-encrypted)
- Configure Snowflake users with RSA public keys
- Create/update Hevo Data destinations with key-pair authentication
- Seamless key rotation with automatic backup
- CLI and programmatic interfaces
Process Flow
Setup Mode (New Destination)
- Generate RSA key pair
- Connect to Snowflake (username/password)
- Set
RSA_PUBLIC_KEYfor target user - Create Hevo destination with private key
- Auto-save
destination_idto config file
Update-Keys Mode (Existing Destination)
- Verify
destination_idexists in config - Generate RSA key pair
- Connect to Snowflake and set public key
- Update existing Hevo destination with private key
Rotate Mode (Key Rotation)
- Backup existing keys
- Generate new key pair
- Set
RSA_PUBLIC_KEY_2in Snowflake - Update Hevo destination with new private key
- Unset old
RSA_PUBLIC_KEY
Project Structure
sf_rotation/
├── src/sf_rotation/
│ ├── __init__.py # Package exports
│ ├── main.py # CLI entry point
│ ├── key_generator.py # OpenSSL key generation
│ ├── snowflake_client.py # Snowflake connection/key management
│ ├── hevo_client.py # Hevo API client
│ └── utils.py # Helper functions
├── config/
│ └── config.yaml.example # Configuration template
├── pyproject.toml # Package configuration
├── README.md
└── WORKFLOW.md # Detailed workflow documentation
Requirements
- Python 3.8+
- OpenSSL (for key generation)
- Snowflake account with admin access
- Hevo Data account with API access
Security Notes
- Private keys are stored with 600 permissions
- Keys directory is gitignored
- Config files with credentials are gitignored
- Passphrase prompted at runtime (not stored in config)
License
MIT License - see LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sf_rotation-1.1.0.tar.gz
(18.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sf_rotation-1.1.0.tar.gz.
File metadata
- Download URL: sf_rotation-1.1.0.tar.gz
- Upload date:
- Size: 18.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
11ce078ca2f03f7a97af78b23fd63ef769e6fea611a251c33a6c18f7a8f7f3cd
|
|
| MD5 |
992d02a661358f8f962fd94c8dbd823c
|
|
| BLAKE2b-256 |
31b37daa85e6b2c26948247d6d85161c233202dc6c7edd3acc37f9b8b1433397
|
File details
Details for the file sf_rotation-1.1.0-py3-none-any.whl.
File metadata
- Download URL: sf_rotation-1.1.0-py3-none-any.whl
- Upload date:
- Size: 19.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
57c53bd99e174fb30eccdff75587f7403b75a456e139ddf6635c2d98e296cef5
|
|
| MD5 |
d4f1b73bbdeabcb068918cd4d70f53ba
|
|
| BLAKE2b-256 |
4935849ecac181fb01034a24e3a1a0412cc77d48f18c5befe9631da8e6419c58
|
