Invalid private key, Error code 0002

[filipqlrf]

I'm trying to deploy the connector using a private key option. To hide the private key, I wanted to use some of the config providers.
I tried AWS secretManager, file and env provider. All of the fail with the same issue:

Exception: Invalid private key
Error Code: 0002
Detail: private key should be a valid PEM RSA private key
Message: java.security.InvalidKeyException: Unable to decode key

I am sure the private key is correct, when I paste it directly into the configuration, the connector works.
My config is as follows:

"config.providers": "env",
"config.providers.file.class": "org.apache.kafka.common.config.provider.EnvVarConfigProvider",
"connector.class": "com.snowflake.kafka.connector.SnowflakeSinkConnector",
"snowflake.schema.name": "public",
"snowflake.private.key": "${env:SNOWFLAKE_SECRET}",
"key.converter": "org.apache.kafka.connect.storage.StringConverter",
"value.converter": "com.snowflake.kafka.connector.records.SnowflakeJsonConverter",
...

Are there any restrictions for the config providers? What is the best way to inject the secret values?

[swehner]

I think your config isn't correct - the config provider env you declared doesn't have a class configured. The entry should be called config.providers.<NAME_OF_CONFIG_PROVIDER>.class, so it should be:

"config.providers": "env",
"config.providers.env.class": "org.apache.kafka.common.config.provider.EnvVarConfigProvider",
...

See https://docs.confluent.io/platform/current/connect/security.html#externalize-secrets

[filipqlrf]

Nice catch @swehner. Unfortunately, even after I fixed the config, I still have the same error.

[swehner]

Ok, and are you running this in AWS managed Kafka Connect? (I'm asking becasue I wasn't able to set environment variables for workers).
What version of the snowflake connector are you running? I assume it's newer than 2.2.0.
If not you can try calling the config.provider file:

"config.providers": "file",
"config.providers.file.class": "org.apache.kafka.common.config.provider.EnvVarConfigProvider",

That way you work around the bug that was initially preventing validation of config providers with any other name than file.

I was able to run it successfully back in the day with this configuration:

    "config.providers" : "file",
    "config.providers.file.class" : "com.amazonaws.kafka.config.providers.SsmParamStoreConfigProvider",
    "config.providers.file.param.region" : "us-east-1",
    "snowflake.private.key" : "${file::/pathtomy/privatekey}"

[filipqlrf]

I'm running the connector on the k8s cluster. To be precise, I'm running the Pulsar function inside the k8s cluster (datastax/snowflake-connector#15). The Pulsar function is a wrapper of this kafka connector, so all the configuration is the same. The version of the connector is 2.4.1

[ravilk]

Hi @filipqlrf @swehner ,

I'm facing the same issue with Snowflake connector in Strimzi Kafka Connect deployed on OpenShift Kubernetes cluster, but in my case I'm using HashiCorp Vault to store my private key. I'm able to pull private key from the Vault, create respective kubernetes secret and mount private key into the connector Pod file system as file and env variable for testing both methods.

I tried:

snowflake.private.key: "${env:SNOWFLAKE_PRIVATE_KEY}"
config.providers: env
config.providers.file.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider

and

config.providers: file
config.providers.file.class: org.apache.kafka.common.config.provider.FileConfigProvider
snowflake.private.key: '${file:/opt/kafka/external-configuration/snowflake-key/private_key}'

Both methods are failing for me, and I'm receiving the same error as @filipqlrf :

2025-07-30 10:08:00,715 ERROR [snowflake-sink-connector-3|worker] WorkerConnector{id=snowflake-sink-connector-3} Error while starting connector (org.apache.kafka.connect.runtime.WorkerConnector) [connector-thread-snowflake-sink-connector-3]
com.snowflake.kafka.connector.internal.SnowflakeKafkaConnectorException: [SF_KAFKA_CONNECTOR] Exception: Invalid private key
Error Code: 0002
Detail: private key should be a valid PEM RSA private key
Message: java.security.InvalidKeyException: IOException : null
java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:253)

I can see that secret has been mounted into Pod as env and file, and contain correct private key:

sh-5.1$ ls -la /opt/kafka/external-configuration/snowflake-key/private_key 
lrwxrwxrwx. 1 root 1002580000 18 Jul 29 22:01 /opt/kafka/external-configuration/snowflake-key/private_key -> ..data/private_key
sh-5.1$ 
sh-5.1$ cat /opt/kafka/external-configuration/snowflake-key/private_key 
-----BEGIN PRIVATE KEY----- 
...
-----END PRIVATE KEY-----


sh-5.1$ env | grep SNOWFLAKE_PRIVATE_KEY
SNOWFLAKE_PRIVATE_KEY=-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

With the plain credentials everything works fine. My snowflake-kafka-connector version = 3.1.2

[ravilk]

Hi @swehner , @filipqlrf ,

I moved with env variables only, and I solved this by updating Strimzi Kafka Connect yaml with the following:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
...
spec:
  ...
  config:
    ...
    # The EnvVarConfigProvider specifically lets Kafka Connect resolve configuration placeholders from environment variables.
    config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
    # This line enables the EnvVarConfigProvider, allowing you to use environment variables in your connector configurations.
    config.providers: env     
  
  # Mounts secrets as environment variables
  externalConfiguration:
    env:
      - name: POSTGRES_USERNAME
        valueFrom:
          secretKeyRef:
            name: postgresql-k8s-secret
            key: username
      - name: POSTGRES_PASSWORD
        valueFrom:
          secretKeyRef:
            name: postgresql-k8s-secret
            key: password
      - name: SNOWFLAKE_PRIVATE_KEY
        valueFrom:
          secretKeyRef:
            name: snowflake-k8s-secret
            key: private_key

In the Snowflake sink connector yaml file I've set:

spec:
  class: com.snowflake.kafka.connector.SnowflakeSinkConnector
  config:
    ...
    snowflake.private.key: "${env:SNOWFLAKE_PRIVATE_KEY}"  

The same for the PostgreSQL source connector:

spec:
    ...
    database.user: "${env:POSTGRES_USERNAME}"                           # Environment variable for PostgreSQL username set in Kafka Connect
    database.password: "${env:POSTGRES_PASSWORD}"                       # Environment variable for PostgreSQL password set in Kafka Connect

After setting these parameters, everything is working fine.