Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

terraform cannot provision snowflake secret engine role with credential_type="rsa_public_key" #1585

Open
breathe opened this issue Aug 18, 2022 · 5 comments · May be fixed by #2384
Open

terraform cannot provision snowflake secret engine role with credential_type="rsa_public_key" #1585

breathe opened this issue Aug 18, 2022 · 5 comments · May be fixed by #2384

Comments

@breathe
Copy link

breathe commented Aug 18, 2022

Apologies if I misuse some terraform nomenclature as I consume terraform-provider-vault via pulumi. But from what I can tell its not possible to provision a snowflake secret engine role with credential_type="rsa_public_key" from terraform.

The snowflake secrets engine supports configuration options for creating rsa based authentication which, from what I can tell, cannot be specified when provisioning a vault_database_secret_backend_role using the snowflake secrets engine

In particular, in order to provision users with rsa_private_key auth rather than password auth, the role needs to be created with credential_type="rsa_private_key" -- without specifying that parameter the vault secrets engine doesn't pass an appropriate value for the {{public_key}} template parameter when rendering the creation statements and an error like this is produced when attempting to read the secret ...

ncohen@m1-max-toast ~/f/o/i/a/secrets (main)> vault read dev_us_snowflake/creds/SOME_SERVICE
Error reading dev_us_snowflake/creds/SOME_SERVICE: Error making API request.

URL: GET https://vault.somewhere.net/v1/dev_us_snowflake/creds/SOME_SERVICE
Code: 500. Errors:

* 1 error occurred:
	* 003065 (42601): SQL execution error:
New public key rejected by current policy. Reason: 'Invalid public key'

I'm able to make the above command succeed if I manually provision the role with a command like this:

vault write dev_us_snowflake/roles/SOME_SERVICE \
    db_name=snowflake-connection \
    creation_statements="CREATE USER \"{{name}}\" RSA_PUBLIC_KEY='{{public_key}}'
    DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE= SOME_SERVICE_ROLE_DEV;
    GRANT ROLE SOME_SERVICE_ROLE_DEV TO USER \"{{name}}\";" \
    credential_type="rsa_private_key" \
    credential_config=key_bits=2048 \
    default_ttl="1h" \
    max_ttl="1h" \
    credential_config=format="pkcs8"

But the equivalent terraform version of the above will fail because there is no way to specify credential_type. (nor I believe is there a way to specify any other credential_config's -- but that is less important)

Affected Resource(s)

  • vault_database_secret_backend_role (when backend=snowflake, this ought to accept credential_type somehow ...)
  • snowflake secret engine configuration options

References

@jhfeng
Copy link

jhfeng commented Dec 5, 2023

I'm getting same error today. Does anyone know this issue has solution or not ?

@fairclothjm
Copy link
Contributor

@jhfeng @breathe Hello, sorry you are having trouble.

Have you tried setting the credential_type field on the database_secret_backend_role?

If this isn't working, can you please provide the terraform config to reproduce the issue and any relevant logs or errors? Thanks!

@jhfeng
Copy link

jhfeng commented Dec 6, 2023

@fairclothjm i tested database_secret_backend_role, that seems works. problem is only with static role.
here's code and error:

1 terraform {
2 required_providers {
3 vault = {
4 source = "hashicorp/vault"
5 }
6 }
7 }
8
9 resource "vault_database_secret_backend_connection" "snowflake" {
10 backend = var.sfdb_backend_path
11 name = var.dbname
12 allowed_roles = ["*"]
13
14 snowflake {
15 connection_url = "${var.vaultuser}:${var.vaultuser_password}@${var.sfaccountname}/${var.dbname}"
16 }
17 }
18
19
20 resource "vault_database_secret_backend_role" "role" {
21
22 backend = var.sfdb_backend_path
23 name = "myrole"
24 db_name = vault_database_secret_backend_connection.snowflake.name
25 creation_statements = ["CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"]
26 credential_type = "rsa_private_key"
27 credential_config = {
28 key_type = "rsa"
29 key_bits = "2048"
30 }
31 }
32
33 # configure a static role with period-based rotations
34 resource "vault_database_secret_backend_static_role" "period_role" {
35
36 backend = var.sfdb_backend_path
37 name = "my-static-role"
38 db_name = vault_database_secret_backend_connection.snowflake.name
39 username = "myaccount"
40 rotation_period = var.ttl
41 rotation_statements = ["ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}';"]
42 credential_type = "rsa_private_key"
43 credential_config = {
44 key_type = "rsa"
45 key_bits = "2048"
46 }
47 }

Error: Unsupported argument

│ on modules/snowflake/main.tf line 42, in resource "vault_database_secret_backend_static_role" "period_role":
│ 42: credential_type = "rsa_private_key"

│ An argument named "credential_type" is not expected here.


│ Error: Unsupported argument

│ on modules/snowflake/main.tf line 43, in resource "vault_database_secret_backend_static_role" "period_role":
│ 43: credential_config = {

│ An argument named "credential_config" is not expected here.

@fairclothjm
Copy link
Contributor

@jhfeng Thanks for the information! Yes, it looks like vault_database_secret_backend_static_role does not currently support credential_type. We don't have anything on the roadmap for adding that at the moment but it shouldn't be too much of a lift if anyone is interested in contributing a PR.

@catouc catouc linked a pull request Dec 19, 2024 that will close this issue
2 tasks
@jhughes-naic
Copy link

Is there any ongoing work to address this issue? Snowflake will be removing single-factor password authentication in November 2025. Currently, Vault static roles only support passwords. We need to implement a key pair option.

https://www.snowflake.com/en/blog/blocking-single-factor-password-authentification/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants