• Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.11.x (latest)
    • v1.10.x
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
      • Overview
      • K/V Version 1
      • K/V Version 2
    • KMIP ENTERPRISE
    • Kubernetes
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
      • Overview
      • Setup and Usage
      • Quick Start - Root CA Setup
      • Quick Start - Intermediate CA Setup
      • Considerations
      • Rotation Primitives
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Configuration
      • Upgrading
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.11.x
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.11.0
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Automated Upgrades
    • Redundancy Zones
    • Lease Count Quotas
    • Entropy Augmentation
      • Overview
      • FIPS 140-2 Inside Vault
      • Seal Wrap for FIPS 140-2
    • Seal Wrap
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault

The Vault website is being redesigned to help you find what you are looking for more effectively.

Type '/' to Search

»Snowflake Database Secrets Engine

Snowflake is one of the supported plugins for the database secrets engine. This plugin generates database credentials dynamically based on configured roles for Snowflake-hosted databases and supports Static Roles.

See the database secrets engine docs for more information about setting up the database secrets engine.

The Snowflake database secrets engine uses gosnowflake.

»Capabilities

Plugin NameRoot Credential RotationDynamic RolesStatic RolesUsername CustomizationCredential Types
snowflake-database-pluginYesYesYesYes (1.8+)password, rsa_private_key

»Setup

  1. Enable the database secrets engine if it is not already enabled:

    $ vault secrets enable database
    Success! Enabled the database secrets engine at: database/
    
    $ vault secrets enable database
    Success! Enabled the database secrets engine at: database/
    

    By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the -path argument.

  2. Configure Vault with the proper plugin and connection information:

    $ vault write database/config/my-snowflake-database \
        plugin_name=snowflake-database-plugin \
        allowed_roles="my-role" \
        connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \
        username="vaultuser" \
        password="vaultpass"
    
    $ vault write database/config/my-snowflake-database \
        plugin_name=snowflake-database-plugin \
        allowed_roles="my-role" \
        connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \
        username="vaultuser" \
        password="vaultpass"
    

    A properly formatted data source name (DSN) needs to be provided during configuration of the database. This DSN is typically formatted with the following options:

    {{username}}:{{password}}@account/db_name
    
    {{username}}:{{password}}@account/db_name
    

    {{username}} and {{password}} will typically be used as is during configuration. The special formatting is replaced by the username and password options passed to the configuration for initial connection.

    account is your Snowflake account identifier. You can find out more about this value by reading the server section of this document.

    db_name is the name of a database in your Snowflake instance.

    Note: The user being utilized should have ACCOUNT_ADMIN privileges, and should be different from the root user you were provided when making your Snowflake account. This allows you to rotate the root credentials and still be able to access your account.

»Usage

After the secrets engine is configured, configure dynamic and static roles to enable generating credentials.

»Dynamic Roles

»Password Credentials

  1. Configure a role that creates new Snowflake users with password credentials:

    $ vault write database/roles/my-password-role \
        db_name=my-snowflake-database \
        creation_statements="CREATE USER {{name}} PASSWORD = '{{password}}'
            DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
            GRANT ROLE myrole TO USER {{name}};" \
        default_ttl="1h" \
        max_ttl="24h"
    Success! Data written to: database/roles/my-password-role
    
    $ vault write database/roles/my-password-role \
        db_name=my-snowflake-database \
        creation_statements="CREATE USER {{name}} PASSWORD = '{{password}}'
            DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
            GRANT ROLE myrole TO USER {{name}};" \
        default_ttl="1h" \
        max_ttl="24h"
    Success! Data written to: database/roles/my-password-role
    
  2. Generate a new credential by reading from the /creds endpoint with the name of the role:

    $ vault read database/creds/my-password-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-password-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
    lease_duration     1h
    lease_renewable    true
    password           SsnoaA-8Tv4t34f41baD
    username           v_root_my_password_role_fU0jqEy4wMNoAY2h60yd_1610561532
    
    $ vault read database/creds/my-password-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-password-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
    lease_duration     1h
    lease_renewable    true
    password           SsnoaA-8Tv4t34f41baD
    username           v_root_my_password_role_fU0jqEy4wMNoAY2h60yd_1610561532
    

»Key Pair Credentials

  1. Configure a role that creates new Snowflake users with key pair credentials:

    $ vault write database/roles/my-keypair-role \
        db_name=my-snowflake-database \
        creation_statements="CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}'
          DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
          GRANT ROLE myrole TO USER {{name}};" \
        credential_type="rsa_private_key" \
        credential_config=key_bits=2048 \
        default_ttl="1h" \
        max_ttl="24h"
    Success! Data written to: database/roles/my-keypair-role
    
    $ vault write database/roles/my-keypair-role \
        db_name=my-snowflake-database \
        creation_statements="CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}'
          DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
          GRANT ROLE myrole TO USER {{name}};" \
        credential_type="rsa_private_key" \
        credential_config=key_bits=2048 \
        default_ttl="1h" \
        max_ttl="24h"
    Success! Data written to: database/roles/my-keypair-role
    
  2. Generate a new credential by reading from the /creds endpoint with the name of the role:

    $ vault read database/creds/my-keypair-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-keypair-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
    lease_duration     1h
    lease_renewable    true
    rsa_private_key    -----BEGIN PRIVATE KEY-----
                       ...
                       -----END PRIVATE KEY-----
    username           v_token_my_keypair_role_n20WjS9U3LWTlBWn4Wbh_1654718170
    
    $ vault read database/creds/my-keypair-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-keypair-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
    lease_duration     1h
    lease_renewable    true
    rsa_private_key    -----BEGIN PRIVATE KEY-----
                       ...
                       -----END PRIVATE KEY-----
    username           v_token_my_keypair_role_n20WjS9U3LWTlBWn4Wbh_1654718170
    

    You can directly use the PEM-encoded rsa_private_key value to establish a connection to Snowflake. See connection options for a list of clients and instructions for establishing a connection using key pair authentication.

»Static Roles

»Password Credentials

  1. Configure a static role that rotates the password credential for an existing Snowflake user.

    $ vault write database/static-roles/my-password-role \
        db_name=my-snowflake-database \
        username="snowflake_existing_user" \
        rotation_period="24h" \
        rotation_statements="ALTER USER {{name}} SET PASSWORD = '{{password}}'"
    Success! Data written to: database/static-roles/my-password-role
    
    $ vault write database/static-roles/my-password-role \
        db_name=my-snowflake-database \
        username="snowflake_existing_user" \
        rotation_period="24h" \
        rotation_statements="ALTER USER {{name}} SET PASSWORD = '{{password}}'"
    Success! Data written to: database/static-roles/my-password-role
    
  2. Retrieve the current password credential from the /static-creds endpoint:

    $ vault read database/static-creds/my-password-role
    Key                    Value
    ---                    -----
    last_vault_rotation    2020-08-07T16:50:48.393354+01:00
    password               Z4-KH8F-VK5VJc0hSkXQ
    rotation_period        24h
    ttl                    23h59m39s
    username               my-existing-couchbase-user
    
    $ vault read database/static-creds/my-password-role
    Key                    Value
    ---                    -----
    last_vault_rotation    2020-08-07T16:50:48.393354+01:00
    password               Z4-KH8F-VK5VJc0hSkXQ
    rotation_period        24h
    ttl                    23h59m39s
    username               my-existing-couchbase-user
    

»Key Pair Credentials

  1. Configure a static role that rotates the key pair credential for an existing Snowflake user:

    $ vault write database/static-roles/my-keypair-role \
        db_name=my-snowflake-database \
        username="snowflake_existing_user" \
        rotation_period="24h" \
        rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'" \
        credential_type="rsa_private_key" \
        credential_config=key_bits=2048
    Success! Data written to: database/static-roles/my-keypair-role
    
    $ vault write database/static-roles/my-keypair-role \
        db_name=my-snowflake-database \
        username="snowflake_existing_user" \
        rotation_period="24h" \
        rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'" \
        credential_type="rsa_private_key" \
        credential_config=key_bits=2048
    Success! Data written to: database/static-roles/my-keypair-role
    
  2. Retrieve the current key pair credential from the /static-creds endpoint:

    $ vault read database/static-creds/my-keypair-role
    Key                    Value
    ---                    -----
    last_vault_rotation    2022-06-08T13:13:02.355928-07:00
    rotation_period        24h
    rsa_private_key        -----BEGIN PRIVATE KEY-----
                           ...
                           -----END PRIVATE KEY-----
    ttl                    23h59m55s
    username               snowflake_existing_user
    
    $ vault read database/static-creds/my-keypair-role
    Key                    Value
    ---                    -----
    last_vault_rotation    2022-06-08T13:13:02.355928-07:00
    rotation_period        24h
    rsa_private_key        -----BEGIN PRIVATE KEY-----
                           ...
                           -----END PRIVATE KEY-----
    ttl                    23h59m55s
    username               snowflake_existing_user
    

    You can directly use the PEM-encoded rsa_private_key value to establish a connection to Snowflake. See connection options for a list of clients and instructions for establishing a connection using key pair authentication.

»Key Pair Authentication

Snowflake supports using key pair authentication for enhanced authentication security as an alternative to username and password authentication. The Snowflake database plugin can be used to manage key pair credentials for Snowflake users by using the rsa_private_key credential_type.

See the usage section for examples using both dynamic and static roles.

»API

The full list of configurable options can be seen in the Snowflake database plugin API page.

For more information on the database secrets engine's HTTP API please see the Database secrets engine API page.

github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager