gosnowflake icon indicating copy to clipboard operation
gosnowflake copied to clipboard

Published 20 hours ago verified publisher icon snowflakedb

Connection caching like in the python driver

Open sfc-gh-pkommini opened this issue 3 years ago • 1 comments

Issue description

Hi Team,

We use the terraform snowflake provider implemented by CZI and it's pretty much unusable with browser_auth due to every terraform plan and terraform apply creating a new browser tab for authentication.

This issue is due to the underlying dependency on the gosnowflake module which doesn't cache a connection.

It would be great if we could implement connection caching using secure-local-storage as implemented in the python connector?

This allow the snowflake terraform provider to use this module without opening 100s of tabs when doing CRUD for 100s of resources.

sfc-gh-pkommini avatar Oct 14 '21 18:10 sfc-gh-pkommini

also tracked in SNOW-505514

sfc-gh-afedorov avatar Nov 17 '21 16:11 sfc-gh-afedorov

any progress on this?

larspettermadsstuen avatar Jan 06 '23 16:01 larspettermadsstuen

https://github.com/snowflakedb/gosnowflake/pull/661 should implement this if i'm correct; which is released with 1.6.15

Add MultiFactor Authentication mechanism and caching for MFA/Id token. Fix issue where 405 error is thrown when S3 bucket acceleration is disabled.

(currently we're at 1.6.16)

sfc-gh-dszmolka avatar Jan 12 '23 07:01 sfc-gh-dszmolka

#661 should implement this if i'm correct; which is released with 1.6.15

Add MultiFactor Authentication mechanism and caching for MFA/Id token. Fix issue where 405 error is thrown when S3 bucket acceleration is disabled.

(currently we're at 1.6.16)

Hey, thanks for the reply 🙌

I just bumped Snowflake-Labs/snowflake to 0.55, which appears to be using 1.6.16.

Running a terraform plan, I still get a browser tab popup for each thread (terraform parallelism parameter). Does this speak to an issue with the fix, or does the terraform provider not make use of the caching properly?

larspettermadsstuen avatar Jan 12 '23 07:01 larspettermadsstuen

hi @larspettermadsstuen so for the ODBC, JDBC, and Python connectors for this feature to work , one needs to also enable it on the Snowflake side (documentation: Using Connection Caching to Minimize the Number of Prompts for Authentication) would it be possible to retry this after issuing

use role accountadmin;
alter account set allow_id_token = true;  --if you wish to ever revert: alter account unset allow_id_token;

and see if it reduces the browser popups now? if it's still an issue, we'll look into it.

sfc-gh-dszmolka avatar Jan 12 '23 08:01 sfc-gh-dszmolka

Hi, allow_id_token is already set to true in our account.

In any case, this occurs via the snowflake terraform provider, which doesn't use either of the mentioned connectors (?)

larspettermadsstuen avatar Jan 12 '23 09:01 larspettermadsstuen

no, the provider uses the gosnowflake connector under the hood. we'll take a look what might be wrong with the connection caching behaviour even after 1.6.15, or what am I missing. Thank you for bearing with us while this is investigated!

sfc-gh-dszmolka avatar Jan 12 '23 10:01 sfc-gh-dszmolka

👋 Checking in again - wondering if there has been any progress on this issue?

larspettermadsstuen avatar Feb 17 '23 15:02 larspettermadsstuen

apparently i missed an update here - apologies ! connection/mfa caching for the gosnowflake connector has been implemented with https://github.com/snowflakedb/gosnowflake/pull/705 couple of weeks ago, and released with 1.6.17

this resolves the issue from the standpoint of the gosnowflake connector - however for it to take effect in the terraform provider too, i see 2 steps necessary

  • TF provider needs to be rebased to gosnowflake 1.6.17 (currently it's based on 1.6.16 which does not have yet this capability)
  • this should automatically enable connection/mfa caching on Windows and Mac. For Linux, it might be necessary to expose the corresponding configuration settings ClientStoreTemporaryCredential / ClientRequestMfaToken which are not automatically enabled on this OS

but from the perspective of this library, the capability to enable (with 1.6.17) an disable (with upcoming next release) the feature is already there / will be shortly there.

sfc-gh-dszmolka avatar Feb 17 '23 15:02 sfc-gh-dszmolka

Thank you!

larspettermadsstuen avatar Feb 17 '23 18:02 larspettermadsstuen

closing as it has been released with v1.6.17

sfc-gh-dszmolka avatar Mar 28 '23 11:03 sfc-gh-dszmolka

I don't think the latest version of the provider has been rebased on the v1.6.17 of gosnowflake, is there any workaround I can do at the moment?

mwufigma avatar May 03 '23 23:05 mwufigma

this is the gosnowflake driver's repository, and the above comment seems to be about the snowflake terraform provider, so i feel it being in a little inappropriate place ;)

anyways, snowflake terraform provider versions 0.58.1 and up already based on gosnowflake 1.6.17+ . but there seems to be an issue still, which you can follow at https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/1700

workaround is not to use externalbrowser authentication i'm afraid, but e.g. keypair instead. but i still feel the snowflake terraform provider related discussions should be kept at the appropriate repo if that's possible

sfc-gh-dszmolka avatar May 04 '23 07:05 sfc-gh-dszmolka