Open bglusman opened 1 month ago
@bglusman are you able to use priv_key
? It is very similar to password-based auth but easier to rotate since Snowflake supports two keys. This is what we use in production.
To create a key:
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake-key.p8 -nocrypt
openssl rsa -in snowflake-key.p8 -pubout -out snowflake-key.pub
Update your Snowflake user setting the value of rsa_public_key
to the contents of the snowflake-key.pub
key. You need to remove all the newlines.
Then in avalanche, you set token
to something like this:
token: [
account: "my-account",
user: "my-user",
priv_key: "contents of the snowflake-key.p8 file"
]
This is what the team and I use locally with avalanche (we use it in livebook over snowflex at present since much easier dependencies), but at the moment the team that maintains snowflake isn't comfortable setting this up for production for reasons not totally clear to me. They are looking into oAuth though, but wanted to at least discuss user/pass based auth as well.
I would not recommend OAuth for production as tokens expire. Great for local development with short-lived tokens (8 hrs).
priv_key is more secure that passwords and it is possible to rotate without downtime.
If this really won't work for you, I'm open to PRs to add password based auth. I think you can add something like:
token: [
user: "my-user",
password: "pass"
]
RIght, if we were doing oAuth we'd probably fetch a new token via a client before every request or something, but no idea if that's practical/clean or not, never done oAuth in the background like that without user interaction that I recall.... anyway, I guess I'll try and look into adding support via token at some point, hopefully not huge effort, just wanted your input first.
Is your feature request related to a problem? Please describe. I can see why you might prefer not to support basic user/password auth, but it's what we currently use in production, and changing may have some difficulty... we can probably change to OAuth with some support from another team, but being depdendent on them, and on doing oAuth client integration are both some work, and having ability to use same credentials/auth mechanism with this library or with snowflex, out current library, would be a nice-to-have
Describe the solution you'd like I guess either
token
would no longer be required for request, or token would gain support foruid
andpwd
keys?Describe alternatives you've considered OAuth, Private key based auth are all I think Avalanche currently supports.
Additional context Not necessarily looking for you to implement this @forest (though if you want to, it's welcome), but, considering the order of operations of switching to avalanche, between this issue, desire in other issue for streaming support, and thought I'd at least raise the issue to get thoughts before deciding path forward.