Key Pair Authentication: Troubleshooting¶
This topic helps you troubleshoot errors that occur when connecting to Snowflake with
key pair authentication. It focuses on errors that contain JWT token is invalid
.
Find the Error¶
Before troubleshooting, you need to determine that the issue is resulting in a JWT token is invalid
error.
If your Snowflake client is a driver or connector that does not have an interactive interface, use logs to inspect connection errors:
Enable logging for the Snowflake connector or driver. For details, see Generate log files for Snowflake Drivers & Connectors (https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors) (Snowflake Knowledge Base article).
Check for errors that contain the string
JWT token is invalid
.For example, a client using the Snowflake JDBC driver might get the following error when trying to use key pair authentication:
yyyy-mm-dd hh:mm:ss.nnn n.s.c.jdbc.SnowflakeSQLException FINE <init>:40 - Snowflake exception: JWT token is invalid. [0ce9eb56-821d-4ca9-a774-04ae89a0cf5a], sqlState:08001, vendorCode:390,144, queryId:
Retrieve additional details¶
Each JWT token is invalid
error includes a UUID that appears in brackets immediately after the error (for example,
JWT token is invalid. [0ce9eb56-821d-4ca9-a774-04ae89a0cf5a]
). You should provide the UUID of the error to a Snowflake administrator so
they can obtain more information about the error.
Administrators use the SYSTEM$GET_LOGIN_FAILURE_DETAILS function to obtain additional details about the
error. For example, to obtain additional information about the error JWT token is invalid. [0ce9eb56-821d-4ca9-a774-04ae89a0cf5a]
,
a user with the ACCOUNTADIMN role can execute:
SELECT JSON_EXTRACT_PATH_TEXT(SYSTEM$GET_LOGIN_FAILURE_DETAILS('0ce9eb56-821d-4ca9-a774-04ae89a0cf5a'), 'errorCode');
The JSON_EXTRACT_PATH_TEXT function parses the JSON output of the SYSTEM$GET_LOGIN_FAILURE_DETAILS function to retrieve the error code and error.
List of Errors¶
The output of the SYSTEM$GET_LOGIN_FAILURE_DETAILS function is one of the following error code/error combinations.
Error Code |
Error |
Description |
---|---|---|
390144 |
JWT_TOKEN_INVALID |
There is a general issue with the JWT token. For possible solutions, see Common Errors and Solutions. |
394300 |
JWT_TOKEN_INVALID_USER_IN_ISSUER |
The user name specified in the issuer does not exist in the Snowflake account. For possible solutions, see Common Errors and Solutions. |
394301 |
JWT_TOKEN_MISSING_ISSUE_OR_EXPIRATION_TIME |
The JWT token does not contain an issue time or an expiration time. |
394302 |
JWT_TOKEN_INVALID_ISSUE_TIME |
The JWT token was received by Snowflake more than 60 seconds after the issue time. For possible solutions, see Common Errors and Solutions. |
394303 |
JWT_TOKEN_INVALID_EXPIRATION_TIME |
The JWT token is expired. |
394304 |
JWT_TOKEN_INVALID_PUBLIC_KEY_FINGERPRINT_MISMATCH |
There is a mismatch between the public key fingerprint specified in the issuer and the one stored for the user in Snowflake. For possible solutions, see Common Errors and Solutions. |
394305 |
JWT_TOKEN_INVALID_ALGORITHM |
The JWT token was not signed with the RS256 algorithm. |
394306 |
JWT_TOKEN_INVALID_SIGNATURE |
Snowflake could not verify the signature provided by the JWT token. It is possible that the JWT was signed with a private key that is not paired with the provided public key. It is also possible that the JWT signature is corrupt or has been modified. |
Common Errors and Solutions¶
The most common errors associated with key pair authentication are:
Use the following descriptions and solutions to troubleshoot these errors.
JWT_TOKEN_INVALID¶
- Description:
There is a general problem with the JWT token.
- Solution #1:
The token itself might be malformed. Double-check that the application accessing Snowflake is generating valid JWT tokens.
- Solution #2:
Double-check that the client (driver, connector, or request URL) is using the correct account identifier to connect to the Snowflake account. You should also check that this value matches the account identifier in the
iss
claim.- Solution #3:
Double-check that the account identifier and user name in the
sub
claim match the corresponding values in theiss
claim.- Solution #4:
Double-check that
iss
claim specifiesSHA256
as the signing algorithm.
JWT_TOKEN_INVALID_PUBLIC_KEY_FINGERPRINT_MISMATCH¶
- Description:
There is a mismatch between the public key fingerprint specified in the issuer and the one stored for the user in Snowflake.
- Solution:
Obtain the public key fingerprint of the JWT token, then compare it with the fingerprint associated with the user in Snowflake.
One method of obtaining the fingerprint of the JWT token is to enable DEBUG logging for your driver (https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors) and attempt to login. Look for the pattern
SHA256:<hash>
, where<hash>
is the public key fingerprint.To obtain the public key fingerprint associated with the user in Snowflake, execute the DESCRIBE USER command. The public key fingerprint is located in either the RSA_PUBLIC_KEY_FP or the RSA_PUBLIC_KEY_2_FP property. If the user is missing a public key fingerprint, execute the ALTER USER command to set these properties.
JWT_TOKEN_INVALID_USER_IN_ISSUER¶
- Description:
The user name specified in the issuer does not exist in the Snowflake account.
- Solution:
The user name configured in the Snowflake client must match the
LOGIN_NAME
of the Snowflake user, not itsNAME
. Sometimes these values are different.Execute the DESCRIBE USER command and verify that the value of the
LOGIN_NAME
property matches the user name that the Snowflake client is using to connect.
JWT_TOKEN_INVALID_ISSUE_TIME¶
- Description:
The JWT token was received by Snowflake more than 60 seconds after the issue time.
- Solution #1:
Check the host where the driver is running to ensure it is synchronized to NTP and doesn’t have clock skew. If the server clock is skewed, Snowflake might determine that the current time is more than 60 seconds after the issue time of the token, when it really isn’t. For example, if the client machine is 30 seconds behind and it took the token 45 seconds to reach Snowflake, then Snowflake determines that it has been 75 seconds since the JWT token was issued, not 45 seconds.
You can check that the clock of the client machine is accurate by comparing it to an NTP server. For example, you can use NIST Internet Time Servers (https://tf.nist.gov/tf-cgi/servers.cgi) to sync the client machine. For help with checking and synchronizing your host’s clock to an NTP server, refer to the administrator guide for your operating system or reach out to a system administrator.
- Solution #2:
Use an OS-specific monitoring tool to determine if the error occurs during times of extreme CPU/disk usage.
- Solution #3:
Check whether there is excessive network latency that is causing the JWT token to be processed by Snowflake more than 60 seconds after the token’s issue time.
When using a connectivity diagnostic tool to measure network latency, set the destination to
account_identifier.snowflakecomputing.cn
. For example, if the Snowflake client is usingmyorg-account1
as the account identifier, set the destination tomyorg-account1.snowflakecomputing.cn
.