Key Pair Authentication Setup

Following are the steps to enable Key-Pair authentication for TrustLogix users to authenticate to Snowflake.

Depending on the deployment model in the customer environment, one or two users may be used for authentication:

1. TrustLogix-hosted TrustLet: One user is mapped in TrustLogix.

2. Customer-hosted TrustLet: Two users are mapped in TrustLogix:

   • Control plane user (for policy creation in UI)

   • Data plane user (for policy deployments)

Steps to Set Up Key-Pair Authentication

1. Generate Keys for Snowflake Users

2. Alter Snowflake Users with Public Key Value

3. Update the TrustLogix Configuration

1. Generate Keys for Snowflake Users

Use the OpenSSL tool to generate the keys.

Step 1: Generate the Private Key

Run the following command:

openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key_tlx_user.p8 -passout "pass:TrustLogix"

• The key name and passphrase can be customized as per customer requirements.

• This generates an encrypted private key similar to:

Step 2: Generate the Public Key

Run the following command using the generated private key:

• Ensure the private key file name and passphrase match those used in Step 1.

• This generates a public key file rsa_key_tlx_user.pub in the current directory.

Note: If deploying TrustLet in a customer environment, generate keys for both control and data plane users:

2. Alter Snowflake Users

Attach the public key to the users by running the following commands in Snowsight/WebUI.

Step 1: Prepare the Public Key

Open the rsa_key_tlx_user.pub file and remove the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.

For example:

3. Update TrustLogix Authentication Details

Once the Snowflake user details are updated, update the authentication details in TrustLogix.

Step 1: Configure Data Sources in TrustLogix

1. Navigate to Data Sources in the TrustLogix console.

2. Open the respective Data Source configuration screen.

3. In the configuration screen, follow these steps:

   • Select Authentication Type as Key Pair Authentication.

   • Upload the rsa_key_tlx_user.p8 private key using the Browse button.

   • Enter the passphrase used during key generation.

   • Click Save.

4. If all details are correct, the data source details are validated and saved.

Key Pair Authentication Setup For Customer-hosted TrustLet

As mentioned in the above section, there are two users needs for Customer-hosted TrustLet or hybrid tenant.

Below are the additional steps required for Customer-hosted TrustLet or hybrid tenant.

1. Follow the steps mentioned above to create Data plane user

   1. Generate Keys for Snowflake Users

   2. Alter Snowflake Users with Public Key Value

2. Set following key and value

• Trustlet is hosted on AWS ECS (Amazon Elastic Container Service)

• Trustlet is hosted on Azure Kubernetes Service (AKS)

Final Steps to Confirm Setup

After completing the configuration:

• Create a test policy on a sample dataset.

• Deploy the policy.

• If the policy creation and deployment flow proceeds without errors (during database/schema selection and deployment), then the key-pair setup is successful.