Snowflake is one of the supported plugins for the database secrets engine. This plugin
generates database credentials dynamically based on configured roles for Snowflake-hosted
databases and supports Static Roles.
See the database secrets engine docs for
more information about setting up the database secrets engine.
The Snowflake database secrets engine uses
gosnowflake.
A properly formatted data source name (DSN) needs to be provided during configuration of the
database. This DSN is typically formatted with the following options:
{{username}}:{{password}}@account/db_name
{{username}}:{{password}}@account/db_name
{{username}} and {{password}} will typically be used as is during configuration. The
special formatting is replaced by the username and password options passed to the configuration
for initial connection.
account is your Snowflake account identifier. You can find out more about this value by reading
the server section of
this document.
db_name is the name of a database in your Snowflake instance.
Note: The user being utilized should have ACCOUNT_ADMIN privileges, and should be different
from the root user you were provided when making your Snowflake account. This allows you to rotate
the root credentials and still be able to access your account.
Configure a role that creates new Snowflake users with password credentials:
$vault write database/roles/my-password-role \db_name=my-snowflake-database \creation_statements="CREATE USER {{name}} PASSWORD = '{{password}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"\default_ttl="1h"\max_ttl="24h"Success! Data written to: database/roles/my-password-role
$vault write database/roles/my-password-role \db_name=my-snowflake-database \creation_statements="CREATE USER {{name}} PASSWORD = '{{password}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"\default_ttl="1h"\max_ttl="24h"Success! Data written to: database/roles/my-password-role
Generate a new credential by reading from the /creds endpoint with the name
of the role:
Configure a role that creates new Snowflake users with key pair credentials:
$vault write database/roles/my-keypair-role \db_name=my-snowflake-database \creation_statements="CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"\credential_type="rsa_private_key"\credential_config=key_bits=2048\default_ttl="1h"\max_ttl="24h"Success! Data written to: database/roles/my-keypair-role
$vault write database/roles/my-keypair-role \db_name=my-snowflake-database \creation_statements="CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"\credential_type="rsa_private_key"\credential_config=key_bits=2048\default_ttl="1h"\max_ttl="24h"Success! Data written to: database/roles/my-keypair-role
Generate a new credential by reading from the /creds endpoint with the name
of the role:
You can directly use the PEM-encoded rsa_private_key value to establish a connection
to Snowflake. See connection options
for a list of clients and instructions for establishing a connection using key pair
authentication.
Configure a static role that rotates the password credential for an existing Snowflake user.
$vault write database/static-roles/my-password-role \db_name=my-snowflake-database \username="snowflake_existing_user"\rotation_period="24h"\rotation_statements="ALTER USER {{name}} SET PASSWORD = '{{password}}'"Success! Data written to: database/static-roles/my-password-role
$vault write database/static-roles/my-password-role \db_name=my-snowflake-database \username="snowflake_existing_user"\rotation_period="24h"\rotation_statements="ALTER USER {{name}} SET PASSWORD = '{{password}}'"Success! Data written to: database/static-roles/my-password-role
Retrieve the current password credential from the /static-creds endpoint:
Configure a static role that rotates the key pair credential for an existing Snowflake user:
$vault write database/static-roles/my-keypair-role \db_name=my-snowflake-database \username="snowflake_existing_user"\rotation_period="24h"\rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'"\credential_type="rsa_private_key"\credential_config=key_bits=2048Success! Data written to: database/static-roles/my-keypair-role
$vault write database/static-roles/my-keypair-role \db_name=my-snowflake-database \username="snowflake_existing_user"\rotation_period="24h"\rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'"\credential_type="rsa_private_key"\credential_config=key_bits=2048Success! Data written to: database/static-roles/my-keypair-role
Retrieve the current key pair credential from the /static-creds endpoint:
You can directly use the PEM-encoded rsa_private_key value to establish a connection
to Snowflake. See connection options
for a list of clients and instructions for establishing a connection using key pair
authentication.
Snowflake supports using key pair authentication
for enhanced authentication security as an alternative to username and password authentication.
The Snowflake database plugin can be used to manage key pair credentials for Snowflake users
by using the rsa_private_keycredential_type.
See the usage section for examples using both
dynamic and static roles.
