Snowflake - Liquibase connectivity using JDBC key pair authentication

Hi Community,

We are actually trying to connect to snowflake from Liquibase using Key pair authetication( using a key file and password). There seems to be an error like “PBE parameter parsing error: expecting the object identifier for AES cipher”.

I see that the same file and file password is working when I tried connecting from snowsql. Also the connection to snowflake is working as we tried with username and password along with jdbc url.

Does Liquibase not support jdbc conectivity with key pair authentication. If anyone is successful in using it, could you please help with what might be missing in our case.

Some more details on the error:
ERROR: Private key provided is invalid or not supported: LIQUIBASE_key.p8: PBE parameter parsing error: expecting the object identifier for AES cipher

We use oauth authentication for Snowflake. I’m not familiar with key pair authentication.

Connection string looks like this:

jdbc:snowflake://XXX.snowflakecomputing.com:443/?db=XYZ&warehouse=XYZ&schema=XYZ&authenticator=oauth&token=ABC

Can you send me links on how this can be configured.

Your snowflake system has to be configured for Azure oauth, I can’t help with that part, but here is a link.

https://docs.snowflake.com/en/user-guide/oauth-azure

Then you have to get the oauth token from Azure and provide it with the 2 new parms (authenticator and token) in the jdbc string. Don’t provide username and password.

Does that mean, OAUTH token should be generated outside of liquibase & passed as input to Liquibase as part of JDBC?

If yes, as I understand, OAUTH security integration in snowflake requires re-direct URL. Could you share your sample OAuth security integration, and how we can generate the OAUTH tokens?

Adding more context to my earlier question: we wanted to connect to liquibase during gitlab pipeline run to deploy the scripts onto snowflake. We don’t want to pass username and password as part of jdbc url and we thought to use key pair based authentication.

oauth configuration is on the Snowflake side, it has nothing to do with Liquibase.

Yes, you need to generate the oauth token outside of Liquibase and snowflake, and then use it to connect to the database via jdbc.

There is no redirect URL, all of the required parameters are in the jdbc string, as I provided above.

Username and password are no longer used when you use oauth authenitcation, but you do have to provide the token as part of the jdbc string. See my example string above.

Thanks @daryldoak, will try it