schemachange fails to authenticate with connections.toml using encrypted RSA key in CI/CD #331
Description
** What are you trying to accomplish? **
In our GitLab CI/CD setup, we want to achieve to securely authenticating to Snowflake using RSA key pair authentication defined in connections.toml.
** What options have you tried so far ? **
The private key and passphrase are passed as CI/CD variables.
The private key is stored in CI/CD as a base64-encoded, encrypted PKCS#8 PEM.
It is decoded at runtime in the CI job using:
echo "$<private_key_base64_variable>" | base64 -d > encrypted_key.pem
The passphrase is passed separately via another CI/CD variable.
Despite all of this, when schemachange deploy runs, it fails with:
TypeError: Expected bytes or RSAPrivateKey, got <class 'NoneType'>
This strongly suggests that schemachange is either:
-
Not passing the PRIVATE_KEY_PASSPHRASE correctly to the Snowflake connector
-
Or not reading private_key_file_pwd in a way that supports environment variable substitution
our connections.toml file:
In the CI job, we dynamically generate connections.toml as follows:
[default]
account = "..."
user = "..."
role = "..."
warehouse = "..."
database = "..."
schema = "..."
authenticator = "snowflake_jwt"
private_key_file = "/absolute/path/to/encrypted_key.pem"
private_key_file_pwd = "${<passphrase_variable>}"
We then run:
cat connections.toml
And confirm that:
The file content is correct and the private_key_file path points to a valid, existing file.
The PEM file begins with -----BEGIN ENCRYPTED PRIVATE KEY-----.
- "schemachange deploy -f "${ROOT_FOLDER_FOR_NEW_SQL_FILES}" --connections-file-path connections.toml --connection-name default -c SOME_SCHEMACHANGE_DB.SOME_SCHEMACHANGE_SCHEMA.CHANGE_HISTORY_TABLE"
Despite all of this, when schemachange deploy runs, it fails with:
TypeError: Expected bytes or RSAPrivateKey, got <class 'NoneType'>
✅ Expectations
- schemachange should correctly read private_key_file from the connections.toml file and use the passphrase from either:
- The private_key_file_pwd value (ideally expanded from an env variable)
- Or the standard PRIVATE_KEY_PASSPHRASE environment variable, as supported by the Snowflake Python Connector
📌Potential Feature Request Maybe?
Please update schemachange to:
- Fully support encrypted private_key_file paths in connections.toml
- Allow the passphrase to be securely injected via the standard PRIVATE_KEY_PASSPHRASE environment variable
- Or support secure variable expansion for private_key_file_pwd
This would enable secure keypair auth (to Snowflake) in CI/CD pipelines using the intended schemachange deploy flow.
Thank you for your support and the great tool!