Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: 260002: password is empty #2133

Closed
jifeous opened this issue Oct 18, 2023 · 19 comments · Fixed by #2170
Closed

Error: 260002: password is empty #2133

jifeous opened this issue Oct 18, 2023 · 19 comments · Fixed by #2170
Labels
bug Used to mark issues with provider's incorrect behavior category:provider_config

Comments

@jifeous
Copy link

jifeous commented Oct 18, 2023

Provider Version
0.74.0

Terraform Version
Terraform v1.6.1
on windows_amd64

  • provider registry.terraform.io/hashicorp/aws v5.21.0
  • provider registry.terraform.io/snowflake-labs/snowflake v0.74.0

Describe the bug
Snowflake provider error after update to 0.74.0 from 0.73.0. Using private key with no password, seems that the provider requires a password and is failing now.

│ Error: 260002: password is empty

│ with provider["registry.terraform.io/snowflake-labs/snowflake"],
│ on provider.tf line 29, in provider "snowflake":
│ 29: provider "snowflake" {

Expected behavior
No error

@jifeous jifeous added the bug Used to mark issues with provider's incorrect behavior label Oct 18, 2023
@DamienLesage
Copy link

I tried to add back the authentication method that seemed to have been removed, hoping it would solve the issue:

provider "snowflake {
   ...
   authenticator    = "JWT"
}

Unfortunately, it didn't work and I had the following error:

│ Error: Request cancelled
│ 
│   with provider["registry.terraform.io/snowflake-labs/snowflake"],
│   on provider.tf line 27, in provider "snowflake":
│   27: provider "snowflake" {
│ 
│ The plugin.(*GRPCProvider).ConfigureProvider request was cancelled.
╵
Stack trace from the terraform-provider-snowflake_v0.74.0 plugin:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1347f58]
goroutine 67 [running]:
crypto/rsa.(*PrivateKey).Public(...)
	crypto/rsa/rsa.go:123
github.com/snowflakedb/gosnowflake.prepareJWTToken(0xc000c0e5a0)
	github.com/snowflakedb/[email protected]/auth.go:460 +0x38
github.com/snowflakedb/gosnowflake.createRequestBody(0xc0000308a0, 0xc000c12550?, {{0xc000c301c2, 0x1c}, {0x1c8870d, 0x5}, {0xc0005544a0, 0x8}, {0x1c988f3, 0x9}}, ...)
	github.com/snowflakedb/[email protected]/auth.go:423 +0x429
github.com/snowflakedb/gosnowflake.authenticate.func1()
	github.com/snowflakedb/[email protected]/auth.go:334 +0x6d
github.com/snowflakedb/gosnowflake.(*retryHTTP).execute(0xc000c06108)
	github.com/snowflakedb/[email protected]/retry.go:285 +0x207
github.com/snowflakedb/gosnowflake.postAuthRestful({0x1fb9f10?, 0xc000056088?}, 0x19?, 0xc000c12520?, 0x197ddc0?, 0x30?, 0xc000088400?, 0x30?)
	github.com/snowflakedb/[email protected]/restful.go:198 +0xec
github.com/snowflakedb/gosnowflake.postAuth({0x1fb9f10, 0xc000056088}, 0xc000ba5790, 0x22?, 0xc000ba0c08, 0x0?, 0x0?, 0x0?)
	github.com/snowflakedb/[email protected]/auth.go:229 +0x346
github.com/snowflakedb/gosnowflake.authenticate({0x1fb9f10, 0xc000056088}, 0xc0000308a0, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
	github.com/snowflakedb/[email protected]/auth.go:354 +0xf08
github.com/snowflakedb/gosnowflake.authenticateWithConfig(0xc0000308a0)
	github.com/snowflakedb/[email protected]/auth.go:545 +0x36c
github.com/snowflakedb/gosnowflake.SnowflakeDriver.OpenWithConfig({}, {_, _}, {{0xc000c30189, 0x7}, {0xc000c30180, 0x7}, {0xc000c30180, 0x0}, {0x0, ...}, ...})
	github.com/snowflakedb/[email protected]/driver.go:43 +0x15e
github.com/snowflakedb/gosnowflake.SnowflakeDriver.Open({}, {0xc000c30180, 0xbc})
	github.com/snowflakedb/[email protected]/driver.go:26 +0x127
github.com/luna-duclos/instrumentedsql.dsnConnector.Connect(...)
	github.com/luna-duclos/[email protected]/connector.go:53
github.com/luna-duclos/instrumentedsql.wrappedConnector.Connect({{{0x1fa51e0, 0x1d93598}, {0x1fa5240, 0x2d09e48}, 0x0, 0x0}, {0x1fb10c0, 0xc000b899e0}, 0xc000029ac0}, {0x1fb9f10, ...})
	github.com/luna-duclos/[email protected]/connector.go:33 +0x204
database/sql.(*DB).conn(0xc000ba56c0, {0x1fb9f10, 0xc000056080}, 0x1)
	database/sql/sql.go:1387 +0x763
database/sql.(*DB).PingContext.func1(0x30?)
	database/sql/sql.go:850 +0x45
database/sql.(*DB).retry(0x0?, 0xc000c07038)
	database/sql/sql.go:1538 +0x47
database/sql.(*DB).PingContext(0xc000ba56c0, {0x1fb9f10, 0xc000056080})
	database/sql/sql.go:849 +0x98
database/sql.(*DB).Ping(...)
	database/sql/sql.go:867
github.com/jmoiron/sqlx.Connect({0x1cc7293?, 0x16?}, {0xc000c30180?, 0xc000029a80?})
	github.com/jmoiron/[email protected]/sqlx.go:642 +0x4a
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewClient(0xc000bb01c0?)
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/client.go:99 +0x232
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider.ConfigureProvider(0x1c8b8e3?)
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/provider.go:756 +0x1939
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Provider).Configure(0xc0007698c0, {0x1fb9f80, 0xc000bf4720}, 0xd?)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/provider.go:290 +0x18f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ConfigureProvider(0xc0008dded8, {0x1fb9f80?, 0xc000bcf920?}, 0xc0000328d0)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:593 +0x345
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).Configure(0xc0006a9e00, {0x1fb9f80?, 0xc000bcf0e0?}, 0xc0000295c0)
	github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:597 +0x2d3
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_Configure_Handler({0x1c1[638](https://gitlab.eu-west-1.mgmt.onfido.xyz/onfido/devops/terraform/tf-service-infra/-/jobs/10002997#L638)0?, 0xc0006a9e00}, {0x1fb9f80, 0xc000bcf0e0}, 0xc000b967e0, 0x0)
	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:413 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0005694a0, {0x1fc9c00, 0xc000199040}, 0xc000bb38c0, 0xc0007749c0, 0x2cc4510, 0x0)
	google.golang.org/[email protected]/server.go:1376 +0xdd2
google.golang.org/grpc.(*Server).handleStream(0xc0005694a0, {0x1fc9c00, 0xc000199040}, 0xc000bb38c0, 0x0)
	google.golang.org/[email protected]/server.go:1753 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	google.golang.org/[email protected]/server.go:998 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:996 +0x18c
Error: The terraform-provider-snowflake_v0.74.0 plugin crashed!

@simonepm
Copy link

simonepm commented Oct 26, 2023

Issue still present in 0.75.0.

I see that MergeConfig and EnvConfig do not take profile config.PrivateKey into account for example:

func MergeConfig(baseConfig *gosnowflake.Config, mergeConfig *gosnowflake.Config) *gosnowflake.Config {
if baseConfig == nil {
return mergeConfig
}
if mergeConfig.Account != "" {
baseConfig.Account = mergeConfig.Account
}
if mergeConfig.User != "" {
baseConfig.User = mergeConfig.User
}
if mergeConfig.Password != "" {
baseConfig.Password = mergeConfig.Password
}
if mergeConfig.Role != "" {
baseConfig.Role = mergeConfig.Role
}
if mergeConfig.Region != "" {
baseConfig.Region = mergeConfig.Region
}
if mergeConfig.Host != "" {
baseConfig.Host = mergeConfig.Host
}
return baseConfig
}

func EnvConfig() *gosnowflake.Config {
config := &gosnowflake.Config{}
if account, ok := os.LookupEnv("SNOWFLAKE_ACCOUNT"); ok {
config.Account = account
}
if user, ok := os.LookupEnv("SNOWFLAKE_USER"); ok {
config.User = user
}
if password, ok := os.LookupEnv("SNOWFLAKE_PASSWORD"); ok {
config.Password = password
}
if role, ok := os.LookupEnv("SNOWFLAKE_ROLE"); ok {
config.Role = role
}
if region, ok := os.LookupEnv("SNOWFLAKE_REGION"); ok {
config.Region = region
}
if host, ok := os.LookupEnv("SNOWFLAKE_HOST"); ok {
config.Host = host
}
if warehouse, ok := os.LookupEnv("SNOWFLAKE_WAREHOUSE"); ok {
config.Warehouse = warehouse
}
return config
}

@francescomucio
Copy link

Can anyone fix this?
We connect to Snowflake using a private key and this is just breaking our CICD pipeline.

I could try to contribute to this, but I will need some guidance

@sfc-gh-swinkler
Copy link
Collaborator

Hello, sorry for the issue with provider configuration. We are working on a fix and will have this out ASAP. Thank you for your patience.

@gcyu
Copy link

gcyu commented Nov 3, 2023

Hi @sfc-gh-swinkler thanks for the fix. I am still seeing this issue in v0.75.0. Do you need to recreate the tag or release a new version?

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

I seem to be getting this with 0.96.0 when using:

export SNOWFLAKE_USER="snowflake_username"
export SNOWFLAKE_PRIVATE_KEY_PATH="~/.ssh/snowflake_key.p8"
export SNOWFLAKE_PRIVATE_KEY_PASSPHRASE="snowflake_passphrase"

and

provider "snowflake" {
  role  = "ORGADMIN"
  alias = "orgadmin"
  account = "..."
}

There is also a warning about the deprecation of the SNOWFLAKE_PRIVATE_KEY_PATH argument and using file() instead. Possibly related?

I can see in https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0730--v0740 that authenticator = "JWT" should fix it but can't seem to make this happen

@sfc-gh-jmichalak
Copy link
Collaborator

Hi @joscha 👋
This field is deprecated but should work. Please take a look at solutions in another issue, and try using private_key instead of private_key_path.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

try using private_key instead of private_key_path

I did that, but:

2024-09-20T13:43:47.763+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.opentofu.org/snowflake-labs/snowflake/0.96.0/darwin_arm64/terraform-provider-snowflake_v0.96.0 args=[".terraform/providers/registry.opentofu.org/snowflake-labs/snowflake/0.96.0/darwin_arm64/terraform-provider-snowflake_v0.96.0"]
2024-09-20T13:43:47.766+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.opentofu.org/snowflake-labs/snowflake/0.96.0/darwin_arm64/terraform-provider-snowflake_v0.96.0 pid=50709
2024-09-20T13:43:47.766+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.opentofu.org/snowflake-labs/snowflake/0.96.0/darwin_arm64/terraform-provider-snowflake_v0.96.0
2024-09-20T13:43:47.790+0200 [INFO]  provider.terraform-provider-snowflake_v0.96.0: configuring server automatic mTLS: timestamp="2024-09-20T13:43:47.790+0200"
2024-09-20T13:43:47.797+0200 [DEBUG] provider: using plugin: version=6
2024-09-20T13:43:47.797+0200 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: plugin address: address=/var/folders/ym/n59zz1051yb2ls2t67k59mdm0000gn/T/plugin3346491303 network=unix timestamp="2024-09-20T13:43:47.797+0200"
2024-09-20T13:43:47.805+0200 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/09/20 13:43:47 [DEBUG] No Snowflake config file found, returning empty config: open /Users/joscha/.snowflake/config: no such file or directory
2024-09-20T13:43:47.805+0200 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/09/20 13:43:47 [DEBUG] Registering snowflake-instrumented driver
2024-09-20T13:43:47.805+0200 [ERROR] provider.terraform-provider-snowflake_v0.96.0: Response contains error diagnostic: tf_rpc=ConfigureProvider @caller=github.com/hashicorp/[email protected]/tfprotov6/internal/diag/diagnostics.go:58 tf_proto_version=6.4 diagnostic_summary="260002: password is empty" tf_provider_addr=registry.terraform.io/Snowflake-Labs/snowflake tf_req_id=f66a1a72-f882-dc07-289c-3f098ef593fc @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR timestamp="2024-09-20T13:43:47.805+0200"
2024-09-20T13:43:47.805+0200 [ERROR] vertex "provider[\"registry.opentofu.org/snowflake-labs/snowflake\"].orgadmin" error: 260002: password is empty
╷
│ Error: 260002: password is empty
│
│   with provider["registry.opentofu.org/snowflake-labs/snowflake"].orgadmin,
│   on /Users/joscha/dev/infrastructure/data_warehouse/provider_snowflake.tf line 19, in provider "snowflake":
│   19: provider "snowflake" {

with:

provider "snowflake" {
  role  = "ORGADMIN"
  alias = "orgadmin"
  private_key = file("~/.ssh/my.p8")
  account = "..."
}

SNOWFLAKE_PRIVATE_KEY_PATH is unset, SNOWFLAKE_USER and SNOWFLAKE_PRIVATE_KEY_PASSPHRASE still carry values.

There is a

[DEBUG] No Snowflake config file found, returning empty config: open /Users/joscha/.snowflake/config: no such file or directory

in the above, but I wouldn't think that should stop it from connecting?

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

In 0.76.0 the same message says: No Snowflake config file found, falling back to environment variables; 0.96.0 does not mention any fallbacks, unsure if the message changed there or if the problem is elsewhere.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

Even:

provider "snowflake" {
  role  = "ORGADMIN"
  alias = "orgadmin"
  private_key = file("~/.ssh/my.p8")
  private_key_passphrase = var.private_key_passphrase
  account = "..."
}

with the passphrase entered directly to make sure it's not an env issue, yields the same:

2024-09-20T14:10:32.446+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.opentofu.org/snowflake-labs/snowflake\"].orgadmin" references: [var.private_key_passphrase]

2024-09-20T14:10:32.491+0200 [ERROR] provider.terraform-provider-snowflake_v0.96.0: Response contains error diagnostic: @module=sdk.proto diagnostic_severity=ERROR tf_req_id=ed4f3012-ea92-496f-6d6a-fbbe89585c17 tf_rpc=ConfigureProvider diagnostic_detail="" diagnostic_summary="260002: password is empty" tf_proto_version=6.4 tf_provider_addr=registry.terraform.io/Snowflake-Labs/snowflake @caller=github.com/hashicorp/[email protected]/tfprotov6/internal/diag/diagnostics.go:58 timestamp="2024-09-20T14:10:32.491+0200"
2024-09-20T14:10:32.491+0200 [ERROR] vertex "provider[\"registry.opentofu.org/snowflake-labs/snowflake\"].orgadmin" error: 260002: password is empty
╷
│ Error: 260002: password is empty
│
│   with provider["registry.opentofu.org/snowflake-labs/snowflake"].orgadmin,
│   on /Users/joscha/dev/infrastructure/data_warehouse/provider_snowflake.tf line 19, in provider "snowflake":
│   19: provider "snowflake" {

@sfc-gh-jcieslak
Copy link
Collaborator

Hey @joscha 👋
You can take a look at this: https://quickstarts.snowflake.com/guide/terraforming_snowflake/index.html#0 I believe your config may work now, but mentioned authenticator = "JWT" is missing.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

but mentioned authenticator = "JWT" is missing.

Yes, I saw, but adding that consistently yields:

│ Error: open snowflake connection: 390144 (08004): JWT token is invalid. [8e4343f-4172-4b1a-a83b-79691d587503]
│
│   with provider["registry.opentofu.org/snowflake-labs/snowflake"].orgadmin,
│   on /Users/joscha/dev/infrastructure/data_warehouse/provider_snowflake.tf line 19, in provider "snowflake":
│   19: provider "snowflake" {

^ this is with:

provider "snowflake" {
  role  = "ORGADMIN"
  alias = "orgadmin"
  authenticator = "JWT"
  private_key = file("~/.ssh/my.p8")
  private_key_passphrase = var.private_key_passphrase
  account = "..."
}

@sfc-gh-jcieslak
Copy link
Collaborator

Did you generate it with those instructions: https://quickstarts.snowflake.com/guide/terraforming_snowflake/index.html#2? It may be invalid because you used other options to generate it.

@sfc-gh-jmichalak
Copy link
Collaborator

This error is on the Snowflake side. Could you check if your key format is valid? Go to the official Snowflake documentation and search by error code (390144 in this case).

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

Did you generate it with those instructions: https://quickstarts.snowflake.com/guide/terraforming_snowflake/index.html#2? It may be invalid because you used other options to generate it.

Thank you for that. I did not create it after that exactly, I used: https://docs.snowflake.com/en/user-guide/key-pair-auth. I attached the private key (the same way as described) to an existing user. Will give creating a new user a try.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

This error is on the Snowflake side. Could you check if your key format is valid? Go to the official Snowflake documentation and search by error code (390144 in this case).

Ah, this is good, thank you. After querying the error with the reference code on the snowflake side, I am now looking at JWT_TOKEN_INVALID_PUBLIC_KEY_FINGERPRINT_MISMATCH, which is way more helpful.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

Did you generate it with those instructions: https://quickstarts.snowflake.com/guide/terraforming_snowflake/index.html#2? It may be invalid because you used other options to generate it.

Just for future reference. If you try to generate an encrypted private key with the options from the Quickstart above, you'll get:

│ Error: could not retrieve private key: could not parse encrypted private key with passphrase, only ciphers aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-192-gcm, aes-256-cbc, aes-256-gcm, and des-ede3-cbc are supported err = pkcs8: only PBES2 supported

So you can only generate non-encrypted key that way - for encrypted keys and some more background, see here.

@joscha
Copy link
Contributor

joscha commented Sep 20, 2024

I got it to work eventually. There seems to be some funkiness with the regeneration of RSA_PUBLIC_KEY_FP after using:

ALTER USER "tf-snow" SET RSA_PUBLIC_KEY='MII [...] ==';

I tried to reproduce it but wasn't able to in a consistent manner. It possibly seems to be related to newlines and/or leading or trailing whitespace in the key input key, but sometimes the fingerprint is different / the last value.

@sfc-gh-jcieslak
Copy link
Collaborator

Thank you, @joscha, for your input. @sfc-gh-jmichalak is currently working on improving the provider configuration. We will test those cases so they'll be handled better or documented clearly in the registry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to mark issues with provider's incorrect behavior category:provider_config
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants