The private key PEM file has incorrect line endings or encoding (e.g., Windows CRLF). The private key is provided as a string but is missing newlines required for PEM format. The private key is encrypted (passphrase-protected) but no passphrase was provided. The wrong key type was used (RSA is required; EC keys are not supported). The private_key parameter was passed as a file path string instead of the key bytes/object

Load the key correctly: use cryptography.hazmat.primitives.serialization.load_pem_private_key(key_bytes, password=None).. If the key is passphrase-protected, pass the passphrase: load_pem_private_key(key_bytes, password=b'mypassphrase').. Verify the key file format: openssl rsa -in private_key.p8 -check should return 'RSA key ok'.. Ensure the key is RSA 2048-bit or higher — Snowflake does not support EC keys for JWT auth.. When reading from env var, decode base64 if the key was stored base64-encoded: base64.b64decode(os.environ['PRIVATE_KEY']).

High severityauthenticationSnowflake →

Power BI Refresh Error:
251008

What does this error mean?

The private key provided for key-pair authentication is malformed, incorrectly formatted, or cannot be loaded by the Python connector. Snowflake cannot validate the JWT assertion needed to authenticate.

Common causes

1The private key PEM file has incorrect line endings or encoding (e.g., Windows CRLF)
2The private key is provided as a string but is missing newlines required for PEM format
3The private key is encrypted (passphrase-protected) but no passphrase was provided
4The wrong key type was used (RSA is required; EC keys are not supported)
5The private_key parameter was passed as a file path string instead of the key bytes/object

How to fix it

1Load the key correctly: use cryptography.hazmat.primitives.serialization.load_pem_private_key(key_bytes, password=None).
2If the key is passphrase-protected, pass the passphrase: load_pem_private_key(key_bytes, password=b'mypassphrase').
3Verify the key file format: openssl rsa -in private_key.p8 -check should return 'RSA key ok'.
4Ensure the key is RSA 2048-bit or higher — Snowflake does not support EC keys for JWT auth.
5When reading from env var, decode base64 if the key was stored base64-encoded: base64.b64decode(os.environ['PRIVATE_KEY']).

Frequently asked questions

How should I pass the private key to the connector?

Load the PEM bytes, deserialize with load_pem_private_key, then pass the resulting object to private_key in connect(). See the Snowflake key pair auth docs for a complete example.

Can I store the private key in an environment variable?

Yes — store it base64-encoded and decode it at runtime. Avoid storing raw PEM in env vars as whitespace handling across shells can corrupt the key.

Official documentation: https://github.com/snowflakedb/snowflake-connector-python/blob/main/src/snowflake/connector/errorcode.py