[General Usage]: Question: provider login integration with Azure Active Directory

[toni-moreno]

Terraform CLI Version

1.5.0

Terraform Provider Version

0.85.0

Company Name

Can not put here sorry.

Terraform Configuration

We are working with terraform autenticating with snowflake with local user and password (generated as  environment vars before execution is done) , but  our security team is requesting us to integrate our terraform configurations with an service account provided from Azure AD. ( we have also snowflake autentication integrated with Azure AD SSO , but for interactive login)

I'm reviewing  autenticator information here (https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs#authenticator-2)  , and I can see that we can use a lot of different autentication modes. 

Question:

Which autenticator would be better to integrate with AzureAD in a non interactive way (no people will be there to write a password) ? There is any example anywhere to see how to configure this way?

Category

category:provider_config

Object type(s)

No response

Expected Behavior

something like that.

export SNOWFLAKE_USER="[email protected]"
export SNOWFLAKE_PASSWORD="<my_service_account_password>

Actual Behavior

export SNOWFLAKE_USER="local_user"
export SNOWFLAKE_PASSWORD="local_password"

Steps to Reproduce

No way to reproduce.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

[sfc-gh-jcieslak]

Hey @toni-moreno
For most tested and basic non-interactive authentication method, we recommend authenticating by using private key (here). If using AzureAD is a must, then most likely OAuth is your only way (here).
cc: @sfc-gh-jmichalak

[sfc-gh-jmichalak]

That's correct with one caveat: private_key_path is currently deprecated and private_key should be used instead, optionally with file function. We'll update the linked documentation.

Please also read https://docs.snowflake.com/en/user-guide/oauth-azure

[toni-moreno]

Thank you @sfc-gh-jcieslak and @sfc-gh-jmichalak for the fast response.

@sfc-gh-jcieslak if I can not justify a better (secure) way to login the AzureAD will be a must. I've reviewed documentation and I have some doubts on how to implement this autentication method I our terraform scripts. ( I'm a bit ignorant on oauth for automation tools)

1. it seems the only way to have a more than 10 minutes login is configure oauth refresh token, do you know how to query on my snowflake account needed parameters?

2. reviewing how oauth works here it seems like this authentication way will need user interaction , but we need a way to automate our snowflake platform in a non interactive way. Could you confirm us that Oauth could be non-interactive ?

thank you very much.

[sfc-gh-jcieslak]

Hey
Ref 1: Could you elaborate a bit? I'm not sure what you are referring to by saying snowflake account needed parameters. Afaik 10 minutes is a limitation of Snowflake builtin OAuth solutions, not external ones (@sfc-gh-jmichalak I guess we should adjust the documentation). I'm guessing this could be adjusted on AzureAD level, but I'm not sure. Here it says the max lifetime can be extended to a day which is a sufficient limit to run big configurations.
Ref 2: By reading https://docs.snowflake.com/en/user-guide/oauth-azure I'm seeing some of the points mentioning about programatic access. I'm guessing in Azure you can create an application that would be your terraform service user that wouldn't require any manual confirmation on every action, but I'm also not an Azure expert. Snowflake documentation is also mentioning that those solutions should only be used for non-production environments :/. By using key-pair authentication you would be able to make auth fully non-interactive. We haven't yet explored different OAuth authentications, so our knowledge is also pretty limited in that regard.