terraform cannot provision snowflake secret engine role with credential_type="rsa_public_key"

[breathe]

Apologies if I misuse some terraform nomenclature as I consume terraform-provider-vault via pulumi. But from what I can tell its not possible to provision a snowflake secret engine role with credential_type="rsa_public_key" from terraform.

The snowflake secrets engine supports configuration options for creating rsa based authentication which, from what I can tell, cannot be specified when provisioning a vault_database_secret_backend_role using the snowflake secrets engine

In particular, in order to provision users with rsa_private_key auth rather than password auth, the role needs to be created with credential_type="rsa_private_key" -- without specifying that parameter the vault secrets engine doesn't pass an appropriate value for the {{public_key}} template parameter when rendering the creation statements and an error like this is produced when attempting to read the secret ...

ncohen@m1-max-toast ~/f/o/i/a/secrets (main)> vault read dev_us_snowflake/creds/SOME_SERVICE
Error reading dev_us_snowflake/creds/SOME_SERVICE: Error making API request.

URL: GET https://vault.somewhere.net/v1/dev_us_snowflake/creds/SOME_SERVICE
Code: 500. Errors:

* 1 error occurred:
    * 003065 (42601): SQL execution error:
New public key rejected by current policy. Reason: 'Invalid public key'

I'm able to make the above command succeed if I manually provision the role with a command like this:

vault write dev_us_snowflake/roles/SOME_SERVICE \
    db_name=snowflake-connection \
    creation_statements="CREATE USER \"{{name}}\" RSA_PUBLIC_KEY='{{public_key}}'
    DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE= SOME_SERVICE_ROLE_DEV;
    GRANT ROLE SOME_SERVICE_ROLE_DEV TO USER \"{{name}}\";" \
    credential_type="rsa_private_key" \
    credential_config=key_bits=2048 \
    default_ttl="1h" \
    max_ttl="1h" \
    credential_config=format="pkcs8"

But the equivalent terraform version of the above will fail because there is no way to specify credential_type. (nor I believe is there a way to specify any other credential_config's -- but that is less important)

Affected Resource(s)

• vault_database_secret_backend_role (when backend=snowflake, this ought to accept credential_type somehow ...)
• snowflake secret engine configuration options

References

• GH-1234

[jhfeng]

I'm getting same error today. Does anyone know this issue has solution or not ?

[fairclothjm]

@jhfeng @breathe Hello, sorry you are having trouble.

Have you tried setting the credential_type field on the database_secret_backend_role?

If this isn't working, can you please provide the terraform config to reproduce the issue and any relevant logs or errors? Thanks!

[jhfeng]

@fairclothjm i tested database_secret_backend_role, that seems works. problem is only with static role. here's code and error:

1 terraform { 2 required_providers { 3 vault = { 4 source = "hashicorp/vault" 5 } 6 } 7 } 8 9 resource "vault_database_secret_backend_connection" "snowflake" { 10 backend = var.sfdb_backend_path 11 name = var.dbname 12 allowed_roles = ["*"] 13 14 snowflake { 15 connection_url = "${var.vaultuser}:${var.vaultuser_password}@${var.sfaccountname}/${var.dbname}" 16 } 17 } 18 19 20 resource "vault_database_secret_backend_role" "role" { 21 22 backend = var.sfdb_backend_path 23 name = "myrole" 24 db_name = vault_database_secret_backend_connection.snowflake.name 25 creation_statements = ["CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"] 26 credential_type = "rsa_private_key" 27 credential_config = { 28 key_type = "rsa" 29 key_bits = "2048" 30 } 31 } 32 33 # configure a static role with period-based rotations 34 resource "vault_database_secret_backend_static_role" "period_role" { 35 36 backend = var.sfdb_backend_path 37 name = "my-static-role" 38 db_name = vault_database_secret_backend_connection.snowflake.name 39 username = "myaccount" 40 rotation_period = var.ttl 41 rotation_statements = ["ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}';"] 42 credential_type = "rsa_private_key" 43 credential_config = { 44 key_type = "rsa" 45 key_bits = "2048" 46 } 47 }

Error: Unsupported argument │ │ on modules/snowflake/main.tf line 42, in resource "vault_database_secret_backend_static_role" "period_role": │ 42: credential_type = "rsa_private_key" │ │ An argument named "credential_type" is not expected here. ╵ ╷ │ Error: Unsupported argument │ │ on modules/snowflake/main.tf line 43, in resource "vault_database_secret_backend_static_role" "period_role": │ 43: credential_config = { │ │ An argument named "credential_config" is not expected here. ╵

[fairclothjm]

@jhfeng Thanks for the information! Yes, it looks like vault_database_secret_backend_static_role does not currently support credential_type. We don't have anything on the roadmap for adding that at the moment but it shouldn't be too much of a lift if anyone is interested in contributing a PR.