deployment dev changes

Author: shushilgirish

.github/workflows/snowpark-ci-cd.yml

@@ -154,36 +154,20 @@ jobs:
           # Debug the Snowflake account format
           echo "Using Snowflake account: ${SNOWFLAKE_ACCOUNT}"
           
-          # Store private key from GitHub secrets
+          # Store private key correctly from GitHub secrets
           echo "${{ secrets.SNOWFLAKE_PRIVATE_KEY }}" > ~/.snowflake/keys/rsa_key.p8
           chmod 600 ~/.snowflake/keys/rsa_key.p8
           
-          # Install cryptography for key handling
+          # Install required packages
           pip install cryptography snowflake-connector-python
           
-          # Validate the key format
-          python -c "
-          from cryptography.hazmat.backends import default_backend
-          from cryptography.hazmat.primitives import serialization
-          try:
-              with open('~/.snowflake/keys/rsa_key.p8', 'rb') as f:
-                  private_key = serialization.load_pem_private_key(
-                      f.read(),
-                      password=None,
-                      backend=default_backend()
-                  )
-              print('Private key format is valid')
-          except Exception as e:
-              print(f'Error with private key format: {e}')
-              # Don't exit with error yet
-          "
-          
-          # Create connection profile for the environment with key authentication
+          # Create connection profile for the environment with direct key authentication
           cat > ~/.snowflake/connections.toml << EOF
           [dev]
           account = "$SNOWFLAKE_ACCOUNT"
           user = "$SNOWFLAKE_USER"
-          private_key_path = "~/.snowflake/keys/rsa_key.p8"
+          # Using direct path, no expansion needed in GitHub Actions
+          private_key_path = "/home/runner/.snowflake/keys/rsa_key.p8"
           warehouse = "CO2_WH_DEV"
           role = "CO2_ROLE_DEV"
           database = "CO2_DB_DEV"
@@ -192,7 +176,8 @@ jobs:
           [prod]
           account = "$SNOWFLAKE_ACCOUNT"
           user = "$SNOWFLAKE_USER"
-          private_key_path = "~/.snowflake/keys/rsa_key.p8"
+          # Using direct path, no expansion needed in GitHub Actions
+          private_key_path = "/home/runner/.snowflake/keys/rsa_key.p8"
           warehouse = "CO2_WH_PROD"
           role = "CO2_ROLE_PROD"
           database = "CO2_DB_PROD"
@@ -201,33 +186,43 @@ jobs:
           
           chmod 600 ~/.snowflake/connections.toml
           
-          # Verify the connection file was created properly (without showing keys)
+          # Verify the connection file was created properly
           echo "Connection file created with profiles:"
           grep -v private_key ~/.snowflake/connections.toml
           
-          # Test Snowflake connection with key authentication
-          pip install snowflake-connector-python cryptography
+          # Test the key can be read properly (without connecting)
           python -c "
-          import snowflake.connector
-          import os
           from cryptography.hazmat.backends import default_backend
-          from cryptography.hazmat.primitives.asymmetric import rsa
-          from cryptography.hazmat.primitives.asymmetric import padding
+          from cryptography.hazmat.primitives import serialization
+          import os
+          
+          key_path = '/home/runner/.snowflake/keys/rsa_key.p8'
+          print(f'Checking key at: {key_path}')
+          print(f'Key exists: {os.path.exists(key_path)}')
+          
           try:
-              with open(os.path.expanduser('~/.snowflake/keys/rsa_key.p8'), 'rb') as key:
-                  p_key = key.read()
-              
-              conn = snowflake.connector.connect(
-                  user='$SNOWFLAKE_USER',
-                  account='$SNOWFLAKE_ACCOUNT',
-                  private_key=p_key,
-                  warehouse='CO2_WH_DEV',
-                  database='CO2_DB_DEV'
-              )
-              print('Connection successful!')
-              conn.close()
+              with open(key_path, 'rb') as f:
+                  key_data = f.read()
+                  print(f'Key length: {len(key_data)} bytes')
+                  print(f'Key starts with: {key_data[:30]}')
+                  
+                  # Try to load the key to validate format
+                  p_key = serialization.load_pem_private_key(
+                      key_data,
+                      password=None,
+                      backend=default_backend()
+                  )
+                  print('Key loaded successfully!')
+                  
+                  # Convert to DER format as required by Snowflake
+                  pkb = p_key.private_bytes(
+                      encoding=serialization.Encoding.DER,
+                      format=serialization.PrivateFormat.PKCS8,
+                      encryption_algorithm=serialization.NoEncryption()
+                  )
+                  print('Key converted to DER format successfully!')
           except Exception as e:
-              print(f'Connection test failed: {e}')
+              print(f'Error processing key: {e}')
           "
           
       - name: Generate configuration and SQL files

scripts/check_snowflake_key_auth.py

@@ -0,0 +1,139 @@
+import os
+import sys
+import argparse
+import base64
+from pathlib import Path
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+def check_key_auth(key_path):
+    """
+    Check if a private key file is valid for Snowflake authentication.
+    
+    Args:
+        key_path: Path to the private key file
+    """
+    # Expand the path
+    key_path = os.path.expanduser(key_path)
+    
+    print(f"Checking private key at: {key_path}")
+    
+    if not os.path.exists(key_path):
+        print(f"❌ ERROR: File does not exist: {key_path}")
+        return False
+    
+    print(f"✓ File exists ({os.path.getsize(key_path)} bytes)")
+    
+    try:
+        # Read the file
+        with open(key_path, "rb") as key_file:
+            key_data = key_file.read()
+        
+        print(f"✓ File read successfully")
+        
+        # First 30 chars for debugging
+        print(f"Key starts with: {key_data[:30]}")
+        
+        # Check if it looks like a PEM file
+        if not key_data.startswith(b"-----BEGIN"):
+            print("❌ ERROR: File doesn't appear to be in PEM format")
+            return False
+        
+        print(f"✓ File appears to be in PEM format")
+        
+        # Try to load the private key
+        private_key = serialization.load_pem_private_key(
+            key_data,
+            password=None,
+            backend=default_backend()
+        )
+        
+        print(f"✓ Key loaded successfully!")
+        
+        # Convert to DER format required by Snowflake
+        pkb = private_key.private_bytes(
+            encoding=serialization.Encoding.DER,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+        
+        print(f"✓ Key converted to DER format successfully!")
+        
+        # Create a sample connection code
+        print("\nSample connection code:")
+        print("-----------------------")
+        print("import snowflake.connector")
+        print("from cryptography.hazmat.backends import default_backend")
+        print("from cryptography.hazmat.primitives import serialization")
+        print("")
+        print(f"# Read private key from {key_path}")
+        print("with open(key_path, 'rb') as key_file:")
+        print("    p_key = serialization.load_pem_private_key(")
+        print("        key_file.read(),")
+        print("        password=None,")
+        print("        backend=default_backend()")
+        print("    )")
+        print("")
+        print("# Convert to DER format")
+        print("pkb = p_key.private_bytes(")
+        print("    encoding=serialization.Encoding.DER,")
+        print("    format=serialization.PrivateFormat.PKCS8,")
+        print("    encryption_algorithm=serialization.NoEncryption()")
+        print(")")
+        print("")
+        print("# Connect to Snowflake")
+        print("conn = snowflake.connector.connect(")
+        print("    user='YOUR_USERNAME',")
+        print("    account='YOUR_ACCOUNT',")
+        print("    private_key=pkb")
+        print(")")
+        
+        print("\n✅ The key appears to be valid for Snowflake key-pair authentication!")
+        print("   Add it to your GitHub secrets or use it locally.")
+        
+        return True
+    except Exception as e:
+        print(f"❌ ERROR: {str(e)}")
+        return False
+
+def format_key_for_github(key_path):
+    """
+    Format a private key for GitHub secrets.
+    
+    Args:
+        key_path: Path to the private key file
+    """
+    # Expand the path
+    key_path = os.path.expanduser(key_path)
+    
+    if not os.path.exists(key_path):
+        print(f"❌ ERROR: File does not exist: {key_path}")
+        return
+    
+    try:
+        # Read the file
+        with open(key_path, "rb") as key_file:
+            key_data = key_file.read()
+        
+        # Format for GitHub secrets (keep newlines)
+        formatted = key_data.decode('utf-8')
+        
+        print("\nFormatted key for GitHub secrets:")
+        print("--------------------------------")
+        print(formatted)
+        print("--------------------------------")
+        print("\nAdd this entire text including BEGIN/END lines and all newlines to your GitHub secret.")
+    except Exception as e:
+        print(f"❌ ERROR: {str(e)}")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Check if a private key is valid for Snowflake authentication")
+    parser.add_argument("--key-path", default="~/.snowflake/keys/rsa_key.p8", help="Path to the private key file")
+    parser.add_argument("--format-for-github", action="store_true", help="Format the key for GitHub secrets")
+    
+    args = parser.parse_args()
+    
+    if args.format_for_github:
+        format_key_for_github(args.key_path)
+    else:
+        check_key_auth(args.key_path)

scripts/setup_keypair_auth.py

@@ -0,0 +1,134 @@
+import os
+import sys
+import argparse
+from pathlib import Path
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization
+
+def setup_keypair_auth(username, account_name, key_dir="~/.snowflake/keys", key_size=2048):
+    """
+    Set up key pair authentication for Snowflake.
+    
+    Args:
+        username: Snowflake username
+        account_name: Snowflake account name
+        key_dir: Directory to store keys
+        key_size: Size of the RSA key
+    """
+    # Expand the path
+    key_dir = os.path.expanduser(key_dir)
+    
+    # Create directory if it doesn't exist
+    os.makedirs(key_dir, exist_ok=True)
+    
+    print(f"Generating {key_size}-bit RSA key pair for Snowflake authentication...")
+    
+    # Generate private key
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=key_size,
+        backend=default_backend()
+    )
+    
+    # Get public key
+    public_key = private_key.public_key()
+    
+    # Save private key
+    private_key_path = os.path.join(key_dir, "rsa_key.p8")
+    with open(private_key_path, "wb") as f:
+        f.write(
+            private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption()
+            )
+        )
+    
+    # Save public key
+    public_key_path = os.path.join(key_dir, "rsa_key.pub")
+    with open(public_key_path, "wb") as f:
+        f.write(
+            public_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo
+            )
+        )
+    
+    # Format public key for Snowflake SQL
+    public_key_text = public_key.public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo
+    ).decode("utf-8")
+    
+    # Remove header and footer
+    clean_public_key = "".join(public_key_text.strip().split("\n")[1:-1])
+    
+    # Create SQL script
+    sql_path = os.path.join(key_dir, "register_key.sql")
+    with open(sql_path, "w") as f:
+        f.write(f"""-- Execute this SQL in Snowflake to register your public key
+ALTER USER {username} SET RSA_PUBLIC_KEY='-----BEGIN PUBLIC KEY-----\\n{clean_public_key}\\n-----END PUBLIC KEY-----';
+
+-- Verify key registration
+DESC USER {username};
+""")
+
+    # Create a test script
+    test_script_path = os.path.join(key_dir, "test_connection.py")
+    with open(test_script_path, "w") as f:
+        f.write(f"""import snowflake.connector
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+# Read private key
+with open(r"{private_key_path}", "rb") as key:
+    p_key = serialization.load_pem_private_key(
+        key.read(),
+        password=None,
+        backend=default_backend()
+    )
+
+# Convert to bytes for Snowflake
+pkb = p_key.private_bytes(
+    encoding=serialization.Encoding.DER,
+    format=serialization.PrivateFormat.PKCS8,
+    encryption_algorithm=serialization.NoEncryption()
+)
+
+# Connect to Snowflake with key
+conn = snowflake.connector.connect(
+    user="{username}",
+    account="{account_name}",
+    private_key=pkb
+)
+
+# Test the connection
+cur = conn.cursor()
+cur.execute("SELECT current_user(), current_role(), current_version()")
+print(cur.fetchone())
+cur.close()
+conn.close()
+print("Connection successful!")
+""")
+
+    print(f"\nKey pair generated successfully!")
+    print(f"Private key: {private_key_path}")
+    print(f"Public key: {public_key_path}")
+    print(f"SQL script: {sql_path}")
+    print(f"Test script: {test_script_path}")
+    print("\nNEXT STEPS:")
+    print(f"1. Execute the SQL script in Snowflake to register your public key")
+    print(f"2. Run the test script to verify the key authentication works")
+    print(f"3. Update your connections.toml file to use key authentication")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Set up key pair authentication for Snowflake")
+    parser.add_argument("--username", required=True, help="Snowflake username")
+    parser.add_argument("--account", required=True, help="Snowflake account name")
+    parser.add_argument("--key-dir", default="~/.snowflake/keys", help="Directory to store keys")
+    parser.add_argument("--key-size", type=int, default=2048, help="RSA key size (bits)")
+    
+    args = parser.parse_args()
+    
+    setup_keypair_auth(args.username, args.account, args.key_dir, args.key_size)