Vault Snowlfake Plugin

Hello Awesome People,

Fairly new to Vault and I am trying to setup a test to be able to generate short lived credentials on Snowflake and following this tutorial: Snowflake - Database - Secrets Engines | Vault by HashiCorp

However, I keep getting this: error creating database object: unable to parse connection url

This is my command:

$ vault write database/config/cd-snowflake-db plugin_name=“snowflake-database-plugin” allowed_roles=“read-only” connection_url="{{username}}:{{password}}@012345.us-west-2.amazon/some-db" username=“some_username” password=“some_password”

I also tried using this connection_url="{{username}}:{{password}}@012345.snowflakecomputing.com/some-db" but same error. Thing is that when I go to Snowflake Login and use those credentials I can login without any issues so I know the username/password work fine, what connection_url should I be using then?

Thank you so much

You may want to ask around to see if AWS has modified their snowflake enough that it isn’t going to work with the plugin. It doesn’t actually say what vendors are supported so if they wrapped something around the database for authentication it may not work as expected.

Otherwise, you can skip the variable replacement for testing purposes:

$ vault write database/config/my-snowflake-database \
    plugin_name=snowflake-database-plugin \
    allowed_roles="read-only" \
    connection_url="vaultuser:vaultpass@ecxxxx.west-us-2.azure/db_name"

See if it’s something to do with the variables or something else. DO NOT leave this in your configuration, it should only be used for testing purposes.

Thanks Aram. I tried pass in the username:password but still got the connection parse error so not sure what’s going on but I reached out to Snowflake and see what they say :man_shrugging:

However, the documentation in Vault doesn’t say anything about configuring Snowflake or anything like that so you would think it’s an easy setup.

I got a little further on this and now I get the following:

$ vault write database/config/cd-snowflake-db plugin_name="snowflake-database-plugin" allowed_roles="snowflake-role" connection_url="{{username}}:{{password}}@abc1234.snowflakecomputing.com/devops_db" username="some_username" password="some_password"

Error writing data to database/config/cd-snowflake-db: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/database/config/cd-snowflake-db
Code: 400. Errors:

* error creating database object: error verifying connection: 390102 (08004): User temporarily locked. Try again later, or contact your local system administrator.

Now, what is interesting is that when I login to Snowflake I do see that the the user “some_username” is locked out so I manually unlock that username but when I use those same credentials I am able to login in another browser to Snowflake Web :man_shrugging:
I am totally confused but maybe I have to pass something else perhaps?

The plugin’s source code is on github I don’t see any “extra” parameters. vault-plugin-database-snowflake/snowflake.go at main · hashicorp/vault-plugin-database-snowflake · GitHub.

Have you set your vault logging to debug to see if it pops any extra messages out during the plugin init?

Hey Aram

I ditched Docker 'cause I thought it was something related to Docker/Vault and set up Vault Cloud and again seeing the same error. It’s an Authentication issue but again that same username:password work in Snowflake’s Web Login :man_shrugging:

I went back to Docker since it’s clearly not a Docker issue and all I see in the logs is this:

time=“2022-05-13T20:17:11Z” level=error msg=“Authentication FAILED” func=“gosnowflake.(*defaultLogger).Errorln” file=“log.go:240”

Sorry not at all familiar where I can read more into this log. Thanks I appreciate your help though.

Hey @aram I was working with Snowflake and we figured it out. It was due to the password that has symbols/special characters in it, and it was translated by the connector driver incorrectly. I changed the password to something very easy and it worked so I’ll need to figure out how to pass in these long alphanumeric and special characters password when writing my config.

set log_

See the Server configuration file
You want to set it to DEBUG while you’re testing.

You’re probably not the on the latest version so my guess is that it’s actually on line 246 not 204… and it’s during the authentication (obviously): vault-plugin-database-snowflake/snowflake.go at 0bb6307fe8266aaa1c5ab3ca025699c8a1e33461 · hashicorp/vault-plugin-database-snowflake · GitHub

It’s just expecting 3 variables, name (db name?), username, password.

I don’t see any other logging around it so I doubt setting Vault to debug would gain anything more. You may just have to open a case in github.

Thanks @aram! I got it working finally but the password policy is very picky. I’m reading how I can pass in a more complex password to that config now but I think this particular issue has been resolved. Thanks :slight_smile:

I’m sorry you had this trouble. Did you see this documentation section on character escaping behavior? Let us know if there’s something that could be improved with the documentation.

1 Like

I did not @jbayer but I will definitely check this out and fix my config! Thanks a lot :slight_smile:

And just like that I got my super complex password to work! Thanks a lot @jbayer Much appreciated