ENG-2494 - Connection error using Snowflake Private Key auth

[vcruces]

Ticket ENG-2494

Description Of Changes

Fixed a bug in the Snowflake connector where private keys without a passphrase were not being properly converted to the DER/PKCS8 format required by Snowflake. Previously, the code only performed this conversion when a passphrase was present, causing connection failures with the error "Failed to load private key: Could not deserialize key data."

Code Changes

• Updated SnowflakeConnector.get_connect_args() to always convert private keys to DER/PKCS8 format regardless of whether a passphrase is present
• Simplified the logic to handle both encrypted and unencrypted private keys in a unified way

Steps to Confirm

1. Create or use a Snowflake connection configuration with a private key authentication (no passphrase)
2. Test the connection via GET /api/v1/connection/{connection_key}/test
3. Verify the connection succeeds without the "Failed to load private key" error
4. Test with a passphrase-protected private key to ensure backward compatibility

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 3, 2026 1:28pm
fides-privacy-center	Ignored		Feb 3, 2026 1:28pm

[vcruces]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes a bug in the Snowflake connector where private keys without a passphrase were not being properly converted to DER/PKCS8 format, causing authentication failures.

Key Changes:

• Updated get_connect_args() to always convert private keys to DER/PKCS8 format, regardless of passphrase presence
• Simplified the conditional logic by handling both encrypted and unencrypted keys in a unified way
• The load_pem_private_key() function accepts None as the password parameter for unencrypted keys

Analysis:
The fix is correct and elegant. The previous code only performed the DER/PKCS8 conversion when a passphrase was present, but Snowflake's connector requires this format for all private keys. The updated code properly handles both cases by passing None as the password when no passphrase is configured.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is a straightforward bug fix that correctly handles both encrypted and unencrypted private keys. The logic is simple, well-commented, and the implementation follows the cryptography library's documented API. Existing integration tests cover both password and keypair authentication scenarios.
• No files require special attention

Important Files Changed

Filename	Overview
src/fides/api/service/connectors/snowflake_connector.py	Fixed private key authentication by ensuring DER/PKCS8 conversion happens for all private keys, not just those with passphrases
changelog/7294-snowflake-auth.yaml	Appropriate changelog entry documenting the bug fix

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}