Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Snowflake forcing key-pair authentication November 2025 #2399

Open
jhughes-naic opened this issue Jan 31, 2025 · 0 comments
Open

[Enhancement]: Snowflake forcing key-pair authentication November 2025 #2399

jhughes-naic opened this issue Jan 31, 2025 · 0 comments
Labels
enhancement

Comments

@jhughes-naic
Copy link

Description

Snowflake is updating its security requirements for users. Specifically, "service account" will no longer support "password" authentication and will move to OAuth or key-pair only. It appears that the current version of the Vault provider (4.6.0) does not support key-pair rotations. The resource "vault_database_secret_backend_static_role" does not include a 'connection_type' to specify key-pair. Additionally, the "vault_database_secret_backend_connection" resource does not allow for key-pair either, which needs to be addressed. This may be a general issue with Vault. I also do not see key-pair support for the "root credentials".

In order for Vault, and Vault Terraform provider, to continue to work past 11/2025 a key-pair solution will need to be created. If I'm missing something and a solution is already available please point me in the right direction.

https://developer.hashicorp.com/vault/docs/secrets/databases/snowflake#key-pair-credentials-1
https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/

Related: #1585

Affected Resource(s) and/or Data Source(s)

vault_database_secret_backend_static_role
vault_database_secret_backend_connection

Potential Terraform Configuration

resource "vault_database_secret_backend_connection" "snowflake" {
  backend       = vault_mount.db.path
  name          = "snowflake"
  allowed_roles = ["*"]
  root_rotation_statements = "ALTER USER {{name}} SET RSA_PUBLIC_KEY = '{{public_key}}'"

  snowflake {
    connection_url = "{{username}}:{{private_key}}@${var.connection_url}"
    username = local.admin_username
    private_key = local.admin_private_key
  }
}

resource "vault_database_secret_backend_static_role" "snowflake_role" {
  name                = "my-period-role"
  backend             = vault_mount.db.path
  db_name             = vault_database_secret_backend_connection.snowflake.name
  username            = "example"
  rotation_period     = "31536000"
  rotation_statements = ["ALTER USER \"{{name}}\" SET RSA_PUBLIC_KEY = '{{public_key}}';"]
}

References

https://developer.hashicorp.com/vault/docs/secrets/databases/snowflake#key-pair-credentials-1
https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/

#1585

Would you like to implement a fix?

No
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhughes-naic