terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard

Published 20 hours ago verified publisher icon Snowflake-Labs

Connection Caching For External Browser Auth

Open DustinMoriarty opened this issue 1 year ago • 11 comments

Is your feature request related to a problem? Please describe.

While using the snowflake provider with externalbrowser authentication, hundreds of tabs are opened in the browser as it re-authenticates for every resource. This makes the provider very hard to use with externalbrowser authentication.

Describe the solution you'd like

Connection caching is now supported by gosnowflake. https://github.com/snowflakedb/gosnowflake/issues/486 We need to determine what additional work is needed to get it to work with terraform.

Describe alternatives you've considered

The alternative is to either accept very slow performance and the provider taking over my browser for the entire time of an apply due to opening many tabs or to use another form of authorization. For companies where SSO or MFA is required for human users, using other authorization is not an option.

Additional context

Terraform Version: 1.4.1 Provider Version: 0.61.0 OS Version: MacOS 13.3

DustinMoriarty avatar Apr 10 '23 19:04 DustinMoriarty

+1 to this. Human users should definitely not be using Private Keys and Passwords, so without Terraform Cloud there's no compliant way to perform operations from local.

kallangerard avatar Apr 17 '23 12:04 kallangerard

+1 I'm having the same issue, our team is having to do all operations via CI - can't do anything from local without connection caching.

fh-dustin-winslow avatar Apr 19 '23 13:04 fh-dustin-winslow

@kallangerard and @fh-dustin-winslow : thank you for the bump. The best way to get priority for these tickets is to raise a support ticket within snowflake. Of course submitting a PR is even better. However, my Go skills are pretty basic so I have yet to contribute to this repo.

DustinMoriarty avatar Apr 20 '23 17:04 DustinMoriarty

@DustinMoriarty I took a stab at this here - https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/1913. I'm actually not sure why this wasn't auto-enabled on non-Linux platforms, my read of the code is that it should have worked but clearly it didn't.

Note that you need to explicitly enable ID token support on the Snowflake account, using ACCOUNTADMINISTRATOR.

jcourteau avatar Jun 27 '23 00:06 jcourteau

@jcourteau : Fantastic! Thanks for taking this on!

DustinMoriarty avatar Jun 30 '23 00:06 DustinMoriarty

We've been banging our heads against this for a while too and I finally found the real cause. It appears the go compile method used to produce the darwin OS builds lacks the keychain bits needed. It's due to the way the keyring project (github.com/99designs/keyring) builds in what I'm assuming is either a cross compile or docker based image that lacks the necessary keychain includes. Since that is not present in the resulting binaries, the keyring falls back to the file based method, which generates error messages like this from a debug logging in a terraform run (I did this by setting the debug log level for the underlying go snowflake driver)

024-01-30T16:16:19.395-0700 [DEBUG] provider.terraform-provider-snowflake_v0.84.1: time="2024-01-30T16:16:19-07:00" level=debug msg="Failed to find the item in keychain or item does not exist. Error: No directory provided for file keyring" func="gosnowflake.(*defaultLogger).Debugf" file="log.go:148"
2024-01-30T16:16:22.153-0700 [DEBUG] provider.terraform-provider-snowflake_v0.84.1: time="2024-01-30T16:16:22-07:00" level=debug msg="Failed to write to keychain. Err: No directory provided for file keyring" func="gosnowflake.(*defaultLogger).Debugf" file="log.go:148"

that's what lead me to the keyring package, as those error messages are only found it's file based implementation.

I compiled the latest tag, 0.84.1 on my Mac with Xcode and low and behold, my ExternalBrowser auth prompted me for keychain access to make an entry and properly used that value for what would normally have opened about 35 browser auth tabs.

from this issue on the keyring project (https://github.com/99designs/keyring/issues/78) this repo probably isn't the only one experiencing this issue. We either need to compile the darwin builds on a real osx host, or get the cross compile options to work correctly and support the keychain bits.

thomas-tomlinson avatar Jan 31 '24 16:01 thomas-tomlinson

probably due to this fix https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/2613 , this issue has been resolved after 0.87.3-pre version!

related: https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2047#issuecomment-2006127073

sadahry avatar Mar 19 '24 09:03 sadahry

Hey @DustinMoriarty, @kallangerard, @fh-dustin-winslow, @jcourteau, @thomas-tomlinson. Could you please verify and confirm that a prerelease version 0.87.3-pre works for you? I want to release this patch as part of the 0.88.0 version officially, but first, I want to confirm that it works for various systems, so please add the OS version used.

sfc-gh-asawicki avatar Mar 21 '24 12:03 sfc-gh-asawicki

Hey @DustinMoriarty, @kallangerard, @fh-dustin-winslow, @jcourteau, @thomas-tomlinson. Could you please verify and confirm that a prerelease version 0.87.3-pre works for you? I want to release this patch as part of the 0.88.0 version officially, but first, I want to confirm that it works for various systems, so please add the OS version used.

Thanks @sfc-gh-asawicki for the update. I've asked one of my former workers (@jamesye9) to give this a test run.

thomas-tomlinson avatar Mar 21 '24 21:03 thomas-tomlinson

Thanks @sfc-gh-asawicki for the update. I've asked one of my former workers (@jamesye9) to give this a test run.

@thomas-tomlinson @sfc-gh-asawicki I can confirm version 0.87.3-pre works! It asked once for approval writing to keychain and logged in Snowflake through browser and after that no new browser table opened!

jamesye9 avatar Mar 22 '24 17:03 jamesye9

I tested this in 0.88.0. It appears to be resolved. Thank you @sfc-gh-swinkler ! This is fantastic!

DustinMoriarty avatar Apr 12 '24 02:04 DustinMoriarty

Closing as confirmed.

sfc-gh-asawicki avatar Jul 03 '24 15:07 sfc-gh-asawicki

~This still doesn't work on Linux using the latest version of the provider~ It does work after setting SNOWFLAKE_CLIENT_STORE_TEMPORARY_CREDENTIAL=1. Would be nice to add this to the docs.

gbatiz avatar Jul 16 '24 12:07 gbatiz

good to see another confirmation of it working after all :) for documentation, i see it's already included in https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/v0.93.0/docs/index.md

sfc-gh-dszmolka avatar Jul 16 '24 12:07 sfc-gh-dszmolka

I have a configuration where I use multiple Snowflake provider setups for in the one project for the different roles used to deploy resources. When I used the cached creds with externalbrowser, it will give an "Incorrect username or password was specified" for the resources created with one of the providers. What errors will occasionally swap. Are the cahced creds/ID token role specific?

rorydonaldson avatar Aug 05 '24 15:08 rorydonaldson

Hey @rorydonaldson Could you create a separate gh issue on that with logs included? Make sure to set TF_LOG=DEBUG, SF_TF_NO_INSTRUMENTED_SQL=1, and SF_TF_GOSNOWFLAKE_LOG_LEVEL=trace environment variables for detailed logs. Also, include the provider configs you have right now (you don't have to put exact values, just replace sensitive values, but it's useful to see what is set and if anything is repeating between the provider configs).

sfc-gh-jcieslak avatar Aug 06 '24 08:08 sfc-gh-jcieslak