SNOWFLAKE_PRIVATE_KEY / --private-key (PEM string in env/flag) does not work: PEM must be deserialized to DER bytes before passing to connector

[togishub]

Problem

The MCP server supports authentication/connection via:

• --private-key CLI flag
• SNOWFLAKE_PRIVATE_KEY environment variable

Documentation and CLI args suggest you can pass the PEM text (i.e. the output of cat mykey.p8).

However, tracing the usage in the code reveals that:

• The raw PEM string (i.e. -----BEGIN PRIVATE KEY-----...) is passed straight into the private_key parameter of snowflake.connector.connect()
• The Snowflake connector does NOT accept PEM strings here. It expects DER-encoded bytes (or an in-memory key object)
• Result: any attempt to use SNOWFLAKE_PRIVATE_KEY or --private-key (PEM string) fails with:

  Failed to load private key: Could not deserialize key data. Please provide a valid unencrypted rsa private key in DER format as bytes object

This is a code bug:

• There is currently NO code in MCP that deserializes the PEM content before passing to the connector
• So the --private-key and SNOWFLAKE_PRIVATE_KEY features are effectively nonfunctional

Steps to reproduce

1. Place your PEM key in the env:

   export SNOWFLAKE_PRIVATE_KEY="$(cat mykey.p8)"

2. Run MCP with key pair auth using the above
3. Observe error

Expected

• Setting SNOWFLAKE_PRIVATE_KEY to PEM content should "just work" as documented/expected
• Server should deserialize the PEM to DER bytes before passing to connector
• (Bonus) Deserializing to in-memory key object would also enable auto-re-auth (fix token expiry)

Actual

• Server passes raw PEM text to connect() → connector fails with Could not deserialize key data error
• Only --private-key-file/SNOWFLAKE_PRIVATE_KEY_FILE works, but does not support seamless session re-authentication

Impact

• Key pair authentication via env-only and Docker secrets is essentially broken
• Documentation and flags are misleading and do not work as advertised
• Related: auto-re-authentication for token expiry (Authentication token expiry causes all tool calls to fail until server restart (no auto-reconnect on expired token) #176) is impossible, since only DER bytes/in-memory key would enable it

References

• Snowflake Python Connector: private_key format docs
• Related issue (token expiry bug): Authentication token expiry causes all tool calls to fail until server restart (no auto-reconnect on expired token) #176

---

Please fix the code to support PEM private key in env / CLI, converting it to DER or key object as required by the connector.