# Key Pair Authentication Setup Following are the steps to enable Key-Pair authentication for TrustLogix users to authenticate to Snowflake. Depending on the deployment model in the customer environment, one or two users may be used for authentication: 1. **TrustLogix-hosted TrustLet**: One user is mapped in TrustLogix. 2. **Customer-hosted TrustLet**: Two users are mapped in TrustLogix: * Control plane user (for policy creation in UI) * Data plane user (for policy deployments) #### Steps to Set Up Key-Pair Authentication 1. Generate Keys for Snowflake Users 2. Alter Snowflake Users with Public Key Value 3. Update the TrustLogix Configuration *** ### 1. Generate Keys for Snowflake Users Use the **OpenSSL** tool to generate the keys. #### Step 1: Generate the Private Key Run the following command: ```sh openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key_tlx_user.p8 -passout "pass:TrustLogix" ``` * The **key name** and **passphrase** can be customized as per customer requirements. * This generates an encrypted private key similar to: ``` -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI4GZOWG8 ……. zWYxYMIPtR1aCI5cgyU1Og== -----END ENCRYPTED PRIVATE KEY----- ``` #### Step 2: Generate the Public Key Run the following command using the generated private key: ```sh openssl rsa -in rsa_key_tlx_user.p8 -pubout -out rsa_key_tlx_user.pub -passin "pass:TrustLogix" ``` * Ensure the **private key file name** and **passphrase** match those used in Step 1. * This generates a public key file **rsa\_key\_tlx\_user.pub** in the current directory. ``` -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOC qSqQEjtzp+h+u6nA9S42h6uyR9 xxxx abd3209jwIDAQAB -----END PUBLIC KEY----- ``` **Note**: If deploying TrustLet in a customer environment, generate keys for both control and data plane users: ```sh openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key_tlx_dp_user.p8 -passout "pass:TrustLogix" openssl rsa -in rsa_key_tlx_dp_user.p8 -pubout -out rsa_key_tlx_dp_user.pub -passin "pass:TrustLogix" ``` *** ### 2. Alter Snowflake Users Attach the public key to the users by running the following commands in **Snowsight/WebUI**. #### Step 1: Prepare the Public Key Open the `rsa_key_tlx_user.pub` file and **remove** the `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` headers. For example: ```sql ALTER USER TLX_USER SET RSA_PUBLIC_KEY = 'MIIBIjANBgkqhkiG9w0BAQEFAAOC qSqQEjtzp+h+u6nA9S42h6uyR9 xxxx abd3209jwIDAQAB'; ``` *** ### 3. Update TrustLogix Authentication Details Once the Snowflake user details are updated, update the authentication details in TrustLogix. #### Step 1: Configure Data Sources in TrustLogix 1. Navigate to **Data Sources** in the TrustLogix console. 2. Open the respective Data Source configuration screen. 3. In the configuration screen, follow these steps: * Select **Authentication Type** as **Key Pair Authentication**. * Upload the `rsa_key_tlx_user.p8` private key using the **Browse** button. * Enter the passphrase used during key generation. * Click **Save**. 4. If all details are correct, the data source details are validated and saved. ## Key Pair Authentication Setup For **Customer-hosted TrustLet** As mentioned in the above section, there are two users needs for Customer-hosted TrustLet or hybrid tenant. Below are the additional steps required for Customer-hosted TrustLet or hybrid tenant. 1. Follow the steps mentioned above to create Data plane user 1. Generate Keys for Snowflake Users 2. Alter Snowflake Users with Public Key Value 2. Set following key and value * Trustlet is hosted on AWS ECS (Amazon Elastic Container Service) ``` tlx///role tlx///username tlx///jdbcurl tlx///warehouse tlx///passphrase tlx///privatekey ``` * Trustlet is hosted on Azure Kubernetes Service (AKS) ``` tlx---role tlx---username tlx---jdbcurl tlx---warehouse tlx---passphrase tlx---privatekey ``` *** ### Final Steps to Confirm Setup After completing the configuration: * Create a **test policy** on a sample dataset. * Deploy the policy. * If the policy creation and deployment flow proceeds without errors (during database/schema selection and deployment), then the **key-pair setup is successful**.