mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/secrets/databases/snowflake.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

265 lines
11 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Snowflake database secrets engine
description: >-
Snowflake is one of the supported plugins for the database secrets engine.
This plugin generates database credentials dynamically based on configured
roles for Snowflake hosted databases.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Snowflake database secrets engine
<Warning title="Password authentication removal">
Snowflake is disabling password authentication for all users in&nbsp;
<a href="https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification">November of 2025.</a>
&nbsp;HashiCorp has added support for key pair authentication in place of passwords.
</Warning>
Snowflake is one of the supported plugins for the database secrets engine. This plugin
generates database credentials dynamically based on configured roles for Snowflake-hosted
databases and supports [Static Roles](/vault/docs/secrets/databases#static-roles).
See the [database secrets engine](/vault/docs/secrets/databases) docs for
more information about setting up the database secrets engine.
The Snowflake database secrets engine uses
[gosnowflake](https://pkg.go.dev/github.com/snowflakedb/gosnowflake).
## Capabilities
| Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types |
| --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------|
| `snowflake-database-plugin` | Password-only | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key |
## Setup
1. Enable the database secrets engine if it is not already enabled:
```shell-session
$ vault secrets enable database
Success! Enabled the database secrets engine at: database/
```
By default, the secrets engine will enable at the name of the engine. To
enable the secrets engine at a different path, use the `-path` argument.
1. Configure Vault with userpass authentication:
```shell-session
$ vault write database/config/my-snowflake-database \
plugin_name=snowflake-database-plugin \
allowed_roles="my-role" \
connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \
username="vaultuser" \
password="vaultpass"
```
A properly formatted data source name (DSN) needs to be provided during configuration of the
database. This DSN is typically formatted with the following options:
```shell-session
{{username}}:{{password}}@account/db_name
```
`{{username}}` and `{{password}}` will typically be used as is during configuration. The
special formatting is replaced by the username and password options passed to the configuration
for initial connection.
`account` is your Snowflake account identifier. You can find out more about this value by reading
the `server` section of
[this document](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters).
`db_name` is the name of a database in your Snowflake instance.
~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different
from the root user you were provided when making your Snowflake account. This allows you to rotate
the root credentials and still be able to access your account.
1. Configure Vault with keypair authentication:
```shell-session
$ vault write database/config/my-snowflake-database \
plugin_name=snowflake-database-plugin \
allowed_roles="my-role" \
connection_url="ecxxxx.west-us-1.azure.snowflakecomputing.com/db_name" \
username="vaultuser" \
private_key=@key.pem
```
You must provide properly formatted data source names (DSN) when you configure
the database in the following format. When using key-pair authentication, do not
provide any templates in the DSN:
```shell-session
<account>.snowflakecomputing.com/<db_name>
```
- `account` - your Snowflake account identifier. Refer to the
[`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters)
of the connection parameters for Snowflake ODBC configuration for further details.
- `db_name` the name of a database in your Snowflake instance.
You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We
strongly recommend using a unique user account for Vault access so Vault can
rotate the associated root credentials without disrupting the account associated
with your Snowflake account or other Snowflake users on the account.
## Usage
After the secrets engine is configured, configure dynamic and static roles to
enable generating credentials.
### Dynamic roles
#### Password credentials
1. Configure a role that creates new Snowflake users with password credentials:
```shell-session
$ vault write database/roles/my-password-role \
db_name=my-snowflake-database \
creation_statements="CREATE USER {{name}} PASSWORD = '{{password}}'
DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
GRANT ROLE myrole TO USER {{name}};" \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/my-password-role
```
1. Generate a new credential by reading from the `/creds` endpoint with the name
of the role:
```shell-session
$ vault read database/creds/my-password-role
Key Value
--- -----
lease_id database/creds/my-password-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
lease_duration 1h
lease_renewable true
password SsnoaA-8Tv4t34f41baD
username v_root_my_password_role_fU0jqEy4wMNoAY2h60yd_1610561532
```
#### Key pair credentials
1. Configure a role that creates new Snowflake users with key pair credentials:
```shell-session
$ vault write database/roles/my-keypair-role \
db_name=my-snowflake-database \
creation_statements="CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}'
DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole;
GRANT ROLE myrole TO USER {{name}};" \
credential_type="rsa_private_key" \
credential_config=key_bits=2048 \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/my-keypair-role
```
1. Generate a new credential by reading from the `/creds` endpoint with the name
of the role:
```shell-session
$ vault read database/creds/my-keypair-role
Key Value
--- -----
lease_id database/creds/my-keypair-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
lease_duration 1h
lease_renewable true
rsa_private_key -----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
username v_token_my_keypair_role_n20WjS9U3LWTlBWn4Wbh_1654718170
```
You can directly use the PEM-encoded `rsa_private_key` value to establish a connection
to Snowflake. See [connection options](https://docs.snowflake.com/en/user-guide/key-pair-auth.html#step-6-configure-the-snowflake-client-to-use-key-pair-authentication)
for a list of clients and instructions for establishing a connection using key pair
authentication.
### Static roles
#### Password credentials
1. Configure a static role that rotates the password credential for an existing Snowflake user.
```shell-session
$ vault write database/static-roles/my-password-role \
db_name=my-snowflake-database \
username="snowflake_existing_user" \
rotation_period="24h" \
rotation_statements="ALTER USER {{name}} SET PASSWORD = '{{password}}'"
Success! Data written to: database/static-roles/my-password-role
```
1. Retrieve the current password credential from the `/static-creds` endpoint:
```shell-session
$ vault read database/static-creds/my-password-role
Key Value
--- -----
last_vault_rotation 2020-08-07T16:50:48.393354+01:00
password Z4-KH8F-VK5VJc0hSkXQ
rotation_period 24h
ttl 23h59m39s
username my-existing-couchbase-user
```
#### Key pair credentials
1. Configure a static role that rotates the key pair credential for an existing Snowflake user:
```shell-session
$ vault write database/static-roles/my-keypair-role \
db_name=my-snowflake-database \
username="snowflake_existing_user" \
rotation_period="24h" \
rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}'" \
credential_type="rsa_private_key" \
credential_config=key_bits=2048
Success! Data written to: database/static-roles/my-keypair-role
```
1. Retrieve the current key pair credential from the `/static-creds` endpoint:
```shell-session
$ vault read database/static-creds/my-keypair-role
Key Value
--- -----
last_vault_rotation 2022-06-08T13:13:02.355928-07:00
rotation_period 24h
rsa_private_key -----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
ttl 23h59m55s
username snowflake_existing_user
```
You can directly use the PEM-encoded `rsa_private_key` value to establish a connection
to Snowflake. See [connection options](https://docs.snowflake.com/en/user-guide/key-pair-auth.html#step-6-configure-the-snowflake-client-to-use-key-pair-authentication)
for a list of clients and instructions for establishing a connection using key pair
authentication.
## Key pair authentication
Snowflake supports using [key pair authentication](https://docs.snowflake.com/en/user-guide/key-pair-auth.html)
for enhanced authentication security as an alternative to username and password authentication.
The Snowflake database plugin can be used to manage key pair credentials for Snowflake users
by using the `rsa_private_key` [credential_type](/vault/api-docs/secret/databases#credential_type).
See the [usage](/vault/docs/secrets/databases/snowflake#usage) section for examples using both
dynamic and static roles.
## API
The full list of configurable options can be seen in the [Snowflake database
plugin API](/vault/api-docs/secret/databases/snowflake) page.
For more information on the database secrets engine's HTTP API please see the
[Database secrets engine API](/vault/api-docs/secret/databases) page.
Reference in New Issue View Git Blame Copy Permalink