Closed vinodseshadri closed 1 week ago
hi - thanks for raising this issue. neither the configuration, nor the error message looks right here.
the driver should not even try to go to the public OCSP Cache Server (ocsp.snowflakecomputing.com
) if the connection configuration is correct. That's the whole idea behind private link - traffic does not go to any public endpoint.
can you please try the following:
region
from your configuration, only use account = "xxxxx.us-east-1.privatelink",
accountname.us-east-1.privatelink.snowflakecomputing.com
hostname actually resolves to the VPCE IP(s) when doing a dig
, host
, nslookup
, etc. from the host you're running the PythonConnector. This is important. This hostname should not resolve to the public LB IP's. If it does, you have a DNS configuration problem.
- lose the
region
from your configuration, only useaccount = "xxxxx.us-east-1.privatelink",
Still fails . Based on what is present in construct_hostname
I believe it shouldn't matter.
- make double sure that the
accountname.us-east-1.privatelink.snowflakecomputing.com
hostname actually resolves to the VPCE IP(s) when doing adig
,host
,nslookup
, etc. from the host you're running the PythonConnector. This is important. This hostname should not resolve to the public LB IP's. If it does, you have a DNS configuration problem.
Yes it does resolve to internal AWS VPCE IPs
- if it still does not work, please use the logging suggested here and share the full logs (of course account , JWT, other sensitive data sanitized) If you don't want to share it here publicly, you can raise a Support Case to work 1:1 with a Support Engineer.
I am not sure if I could do that. But would try raising a support ticket.
But I do believe the issue is in the python SDK since SYSTEM$ALLOWLIST_PRIVATELINK
gives back the right ocsp (the one with the private link) and I can access that with curl with no issues.
BTW if I give host name as part of sf.connect to xxxxx.us-east-1.privatelink.snowflakecomputing.com
it works fine
thank you for testing. I strongly suggest continuing this in a Support Case because we will definitely need logs.
Many of our users use the Python Connector successfully in the private link setup so we'll need to figure out what is different in your case and logs are essential for that. I understand those can't be shared here, that's no problem. Thank you in advance ! (closing this one out in favour for the Support Case but still will monitor this ticket so if anything comes up, do comment please)
Python version
Python 3.10.12
Operating system and processor architecture
Linux-5.10.215-203.850.amzn2.x86_64-x86_64-with-glibc2.26
Installed packages
What did you do?
What did you expect to see?
Expected
Connection created successfully.
Actual
Instead it timed out with
JWT token
Debug Logs result In the debug logs, the below can be seen
DEBUG:snowflake.connector.ocsp_snowflake: Failed to get OCSP response cache from http://oscp.snowflakecomputing.com/ocsp_response_cache.json
Can you set logging to DEBUG and collect the logs?