terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Enhancement]: Snowflake forcing key-pair authentication November 2025

Open jhughes-naic opened this issue 9 months ago • 0 comments
trafficstars

Description

Snowflake is updating its security requirements for users. Specifically, "service account" will no longer support "password" authentication and will move to OAuth or key-pair only. It appears that the current version of the Vault provider (4.6.0) does not support key-pair rotations. The resource "vault_database_secret_backend_static_role" does not include a 'connection_type' to specify key-pair. Additionally, the "vault_database_secret_backend_connection" resource does not allow for key-pair either, which needs to be addressed. This may be a general issue with Vault. I also do not see key-pair support for the "root credentials".

In order for Vault, and Vault Terraform provider, to continue to work past 11/2025 a key-pair solution will need to be created. If I'm missing something and a solution is already available please point me in the right direction.

https://developer.hashicorp.com/vault/docs/secrets/databases/snowflake#key-pair-credentials-1 https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/

Related: https://github.com/hashicorp/terraform-provider-vault/issues/1585

Affected Resource(s) and/or Data Source(s)

vault_database_secret_backend_static_role vault_database_secret_backend_connection

Potential Terraform Configuration

resource "vault_database_secret_backend_connection" "snowflake" {
  backend       = vault_mount.db.path
  name          = "snowflake"
  allowed_roles = ["*"]
  root_rotation_statements = "ALTER USER {{name}} SET RSA_PUBLIC_KEY = '{{public_key}}'"

  snowflake {
    connection_url = "{{username}}:{{private_key}}@${var.connection_url}"
    username = local.admin_username
    private_key = local.admin_private_key
  }
}

resource "vault_database_secret_backend_static_role" "snowflake_role" {
  name                = "my-period-role"
  backend             = vault_mount.db.path
  db_name             = vault_database_secret_backend_connection.snowflake.name
  username            = "example"
  rotation_period     = "31536000"
  rotation_statements = ["ALTER USER \"{{name}}\" SET RSA_PUBLIC_KEY = '{{public_key}}';"]
}

References

https://developer.hashicorp.com/vault/docs/secrets/databases/snowflake#key-pair-credentials-1 https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/

https://github.com/hashicorp/terraform-provider-vault/issues/1585

Would you like to implement a fix?

No

jhughes-naic avatar Jan 31 '25 21:01 jhughes-naic