Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider requiring password var when private_key is provided #2169

Closed
kalinon opened this issue Nov 1, 2023 · 16 comments
Closed

provider requiring password var when private_key is provided #2169

kalinon opened this issue Nov 1, 2023 · 16 comments
Labels
bug Used to mark issues with provider's incorrect behavior category:provider_config

Comments

@kalinon
Copy link

kalinon commented Nov 1, 2023

Provider Version

v0.75.0

Terraform Version

1.6.3

Describe the bug

password is being required and checked even when private_key is being passed to the provider

Expected behavior
password should be optional when private_key is provided

Code samples and commands

Terraform code:

provider "snowflake" {
  user        = var.user
  account     = var.account
  role        = var.role
  private_key = var.private_key
}

Terraform error:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: 260002: password is empty
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"],
│   on main.tf line 11, in provider "snowflake":
│   11: provider "snowflake" {
│
╵

Additional context

This was previously working on v0.72.0
@kalinon kalinon added the bug Used to mark issues with provider's incorrect behavior label Nov 1, 2023
@mvanzanten-infostrux
Copy link

This is preventing our production deployments as well, we are also using a Private Key instead of a password.

Any update on this?

@kalinon
Copy link
Author

kalinon commented Nov 3, 2023

@mvanzanten-infostrux ive been in contact with snowflake support directly, the terraform developers have been made aware of it, and ive been told they are working on it. Hopefully.

@mvanzanten-infostrux
Copy link

@kalinon Thanks for letting me know!

@putnam120
Copy link

Is there any update on this? This bug is causing us to have to use version 0.72.0 as it doesn't seem to have these auth issues. But 0.72.0 doesn't have all the resources that we would ideally like to use.

@tkent
Copy link

tkent commented Nov 9, 2023

Bummer to see this! We are just starting to roll out snowflake got blocked straight off using their their guide with terraform.

Thanks @putnam120 for pointing out a working version.

@

@ianwesleyarmstrong
Copy link

this is also blocking an resource deployments/upgrades for us - having to go into every module and pin the provider is quite annoying...

@remi-f-artelia
Copy link

This is issue is a nightmare and when you look at the release notes it seems to be fixed in v0.75.0 and then in v0.76.0 but it is not fixed at all.

Here are the tests I've made so far

Terraform Version: 1.6.3

Provider Version v0.73.0

provider "snowflake" {
  account                = var.account
  role                   = var.role
  username               = var.user  # N.B: v0.73.0 do not know yet `user`
  private_key            = file(var.private_key_path)
  private_key_passphrase = var.private_key_passphrase
}

==> it works

Provider Version v0.74.0

With the same provider configuration

Error: account and User must be set in provider config, ~/.snowflake/config, or as an environment variable
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"].sysadmin,
│   on provider.tf line 11, in provider "snowflake":
│   11: provider "snowflake" {

With the provider updated as below I have the same issue

provider "snowflake" {
  account                = var.account
  role                   = var.role
  user                   = var.user
  private_key            = file(var.private_key_path)
  private_key_passphrase = var.private_key_passphrase
}

I tried to implement the ~/.snowflake/config but no chance to work and the documentation is not very clear. cf # 2137

Provider Version v0.75.0

Same configuration with user instead of username

│ Error: 260002: password is empty
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"].sysadmin,
│   on provider.tf line 41, in provider "snowflake":
│   41: provider "snowflake" {

==> It is said to be fixed in #2133 (but it's not)

Provider Version v0.76.0

Same configuration with user instead of username

│ Error: 260002: password is empty
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"].sysadmin,
│   on provider.tf line 41, in provider "snowflake":
│   41: provider "snowflake" {

==> Same thing, nothing solved

@elventear
Copy link

I've been trying to upgrade the provider since 0.74.0 and I have also been bitten by the same issues described by @remi-f-artelia.

It would be nice if Snowflake focused on stabilizing authentication/configuration portion of the provider for the next release instead of adding more changes. Maybe that way they could release a fix in a shorter timespan? If help is needed for debugging these changes I am more than willing to help.

cc: @sfc-gh-swinkler

@sfc-gh-asawicki
Copy link
Collaborator

@remi-f-artelia, @elventear I think I know where the problem lies: apparently, change #2126 broke the way we are setting the authentication type on the underlying gosnowflake driver, which defaults to user+password one, and that's were the Error: 260002: password is empty comes from (https://pkg.go.dev/github.com/snowflakedb/gosnowflake#pkg-constants).

Please temporarily set authenticator to JWT and confirm that it helps.

The configuration would look like this:

provider "snowflake" {
  account                = var.account
  role                   = var.role
  user                   = var.user
  authenticator          = "JWT"
  private_key            = file(var.private_key_path)
  private_key_passphrase = var.private_key_passphrase
}

@remi-f-artelia
Copy link

remi-f-artelia commented Nov 17, 2023
edited
Loading

Hi @sfc-gh-asawicki , thank you for your reply
I've tested as suggeted with the param authenticatorset to "JWT" and here is the result

Provider version: 0.74.0

│ Error: account and User must be set in provider config, ~/.snowflake/config, or as an environment variable
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"].sysadmin,
│   on provider.tf line 34, in provider "snowflake":
│   34: provider "snowflake" {
│

Provider version: 0.75.0

│ Error: Plugin did not respond
│
│   with provider["registry.terraform.io/snowflake-labs/snowflake"].sysadmin,
│   on provider.tf line 34, in provider "snowflake":
│   34: provider "snowflake" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ConfigureProvider call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-snowflake_v0.75.0.exe plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x1116d58]

goroutine 54 [running]:
crypto/rsa.(*PrivateKey).Public(...)
        crypto/rsa/rsa.go:123
github.com/snowflakedb/gosnowflake.prepareJWTToken(0xc00087c780)
        github.com/snowflakedb/[email protected]/auth.go:460 +0x38
github.com/snowflakedb/gosnowflake.createRequestBody(0xc000ad6660, 0xc000933c50?, {{0xc00065a589, 0x1c}, {0x1a76487, 0x7}, {0xc000629318, 0x8}, {0x1a7b7af, 0x9}}, ...)
        github.com/snowflakedb/[email protected]/auth.go:423 +0x429
github.com/snowflakedb/gosnowflake.authenticate.func1()
        github.com/snowflakedb/[email protected]/auth.go:334 +0x6d
github.com/snowflakedb/gosnowflake.(*retryHTTP).execute(0xc0005fe148)
        github.com/snowflakedb/[email protected]/retry.go:285 +0x207
github.com/snowflakedb/gosnowflake.postAuthRestful({0x1da7208?, 0xc0000440b0?}, 0x19?, 0xc000933c00?, 0x1766d80?, 0x30?, 0xc000abc000?, 0xf0?)
        github.com/snowflakedb/[email protected]/restful.go:198 +0xec
github.com/snowflakedb/gosnowflake.postAuth({0x1da7208, 0xc0000440b0}, 0xc0005af040, 0x8?, 0xc00051b150, 0x2?, 0x80?, 0xc000ac01a0?)
        github.com/snowflakedb/[email protected]/auth.go:229 +0x346
github.com/snowflakedb/gosnowflake.authenticate({0x1da7208, 0xc0000440b0}, 0xc000ad6660, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
        github.com/snowflakedb/[email protected]/auth.go:354 +0xeee
github.com/snowflakedb/gosnowflake.authenticateWithConfig(0xc000ad6660)
        github.com/snowflakedb/[email protected]/auth.go:545 +0x398
github.com/snowflakedb/gosnowflake.SnowflakeDriver.OpenWithConfig({}, {_, _}, {{0xc00065a54c, 0x7}, {0xc00065a540, 0xa}, {0xc00065a540, 0x0}, {0x0, ...}, ...})      
        github.com/snowflakedb/[email protected]/driver.go:43 +0x15e
github.com/snowflakedb/gosnowflake.SnowflakeDriver.Open({}, {0xc00065a540, 0xda})
        github.com/snowflakedb/[email protected]/driver.go:26 +0x127
github.com/luna-duclos/instrumentedsql.dsnConnector.Connect(...)
        github.com/luna-duclos/[email protected]/connector.go:53
github.com/luna-duclos/instrumentedsql.wrappedConnector.Connect({{{0x1d92560, 0x1b76910}, {0x1d925c0, 0x2b0b950}, 0x0, 0x0}, {0x1d9e340, 0xc00054ab80}, 0xc00086f100}, {0x1da7208, ...})
        github.com/luna-duclos/[email protected]/connector.go:33 +0x204
database/sql.(*DB).conn(0xc0005aef70, {0x1da7208, 0xc000044098}, 0x1)
        database/sql/sql.go:1387 +0x763
database/sql.(*DB).PingContext.func1(0x30?)
        database/sql/sql.go:850 +0x45
database/sql.(*DB).retry(0x0?, 0xc0005ff038)
        database/sql/sql.go:1538 +0x47
database/sql.(*DB).PingContext(0xc0005aef70, {0x1da7208, 0xc000044098})
        database/sql/sql.go:849 +0x98
database/sql.(*DB).Ping(...)
        database/sql/sql.go:867
github.com/jmoiron/sqlx.Connect({0x1aab430?, 0x16?}, {0xc00065a540?, 0xc00086f0c0?})
        github.com/jmoiron/[email protected]/sqlx.go:642 +0x4a
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewClient(0x0?)
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/client.go:99 +0x232
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider.ConfigureProvider(0x1a6e79c?)
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/provider.go:754 +0x1979
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Provider).Configure(0xc0009fde60, {0x1da7278, 0xc000b95d40}, 0xd?)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/provider.go:290 +0x18f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ConfigureProvider(0xc000995f20, {0x1da7278?, 0xc000b94f60?}, 0xc000598228)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:593 +0x345
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).Configure(0xc00099df40, {0x1da7278?, 0xc000b94720?}, 0xc00086e000)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:597 +0x2d3
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_Configure_Handler({0x19fad00?, 0xc00099df40}, {0x1da7278, 0xc000b94720}, 0xc00024e150, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:413 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00087c1e0, {0x1db6d00, 0xc000aa84e0}, 0xc0000d58c0, 0xc0009c4810, 0x2aa01f0, 0x0)
        google.golang.org/[email protected]/server.go:1376 +0xdd2
google.golang.org/grpc.(*Server).handleStream(0xc00087c1e0, {0x1db6d00, 0xc000aa84e0}, 0xc0000d58c0, 0x0)
        google.golang.org/[email protected]/server.go:1753 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:998 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:996 +0x18c
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x1116d58]

goroutine 63 [running]:
crypto/rsa.(*PrivateKey).Public(...)
        crypto/rsa/rsa.go:123
github.com/snowflakedb/gosnowflake.prepareJWTToken(0xc0001ffa40)
        github.com/snowflakedb/[email protected]/auth.go:460 +0x38
github.com/snowflakedb/gosnowflake.createRequestBody(0xc0007721e0, 0xc0001935a0?, {{0xc0001e8909, 0x1c}, {0x1a76487, 0x7}, {0xc00050d950, 0x8}, {0x1a7b7af, 0x9}}, ...)
        github.com/snowflakedb/[email protected]/auth.go:423 +0x429
github.com/snowflakedb/gosnowflake.authenticate.func1()
        github.com/snowflakedb/[email protected]/auth.go:334 +0x6d
github.com/snowflakedb/gosnowflake.(*retryHTTP).execute(0xc000818148)
        github.com/snowflakedb/[email protected]/retry.go:285 +0x207
github.com/snowflakedb/gosnowflake.postAuthRestful({0x1da7208?, 0xc0000440b0?}, 0x19?, 0xc000193570?, 0x1766d80?, 0x30?, 0xc000097800?, 0x70?)
        github.com/snowflakedb/[email protected]/restful.go:198 +0xec
github.com/snowflakedb/gosnowflake.postAuth({0x1da7208, 0xc0000440b0}, 0xc0001088f0, 0x8?, 0xc00000b428, 0x2?, 0x80?, 0xc000be4340?)
        github.com/snowflakedb/[email protected]/auth.go:229 +0x346
github.com/snowflakedb/gosnowflake.authenticate({0x1da7208, 0xc0000440b0}, 0xc0007721e0, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
        github.com/snowflakedb/[email protected]/auth.go:354 +0xeee
github.com/snowflakedb/gosnowflake.authenticateWithConfig(0xc0007721e0)
        github.com/snowflakedb/[email protected]/auth.go:545 +0x398
github.com/snowflakedb/gosnowflake.SnowflakeDriver.OpenWithConfig({}, {_, _}, {{0xc0001e88cc, 0x7}, {0xc0001e88c0, 0xa}, {0xc0001e88c0, 0x0}, {0x0, ...}, ...})      
        github.com/snowflakedb/[email protected]/driver.go:43 +0x15e
github.com/snowflakedb/gosnowflake.SnowflakeDriver.Open({}, {0xc0001e88c0, 0xd5})
        github.com/snowflakedb/[email protected]/driver.go:26 +0x127
github.com/luna-duclos/instrumentedsql.dsnConnector.Connect(...)
        github.com/luna-duclos/[email protected]/connector.go:53
github.com/luna-duclos/instrumentedsql.wrappedConnector.Connect({{{0x1d92560, 0x1b76910}, {0x1d925c0, 0x2b0b950}, 0x0, 0x0}, {0x1d9e340, 0xc0008c5a80}, 0xc000a39780}, {0x1da7208, ...})
        github.com/luna-duclos/[email protected]/connector.go:33 +0x204
database/sql.(*DB).conn(0xc000108820, {0x1da7208, 0xc000044098}, 0x1)
        database/sql/sql.go:1387 +0x763
database/sql.(*DB).PingContext.func1(0x30?)
        database/sql/sql.go:850 +0x45
database/sql.(*DB).retry(0x0?, 0xc000819038)
        database/sql/sql.go:1538 +0x47
database/sql.(*DB).PingContext(0xc000108820, {0x1da7208, 0xc000044098})
        database/sql/sql.go:849 +0x98
database/sql.(*DB).Ping(...)
        database/sql/sql.go:867
github.com/jmoiron/sqlx.Connect({0x1aab430?, 0x16?}, {0xc0001e88c0?, 0xc000a39740?})
        github.com/jmoiron/[email protected]/sqlx.go:642 +0x4a
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewClient(0x0?)
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/client.go:99 +0x232
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider.ConfigureProvider(0x1a6e79c?)
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/provider.go:754 +0x1979
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Provider).Configure(0xc000857bc0, {0x1da7278, 0xc0000b6ba0}, 0xd?)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/provider.go:290 +0x18f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ConfigureProvider(0xc0008d5608, {0x1da7278?, 0xc0006e5da0?}, 0xc0008d5ab8)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:593 +0x345
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).Configure(0xc0008b4140, {0x1da7278?, 0xc0006e5590?}, 0xc000a39140)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:597 +0x2d3
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_Configure_Handler({0x19fad00?, 0xc0008b4140}, {0x1da7278, 0xc0006e5590}, 0xc0009b80e0, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:413 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001ff2c0, {0x1db6d00, 0xc00008d380}, 0xc000aeab40, 0xc0006e4d80, 0x2aa01f0, 0x0)
        google.golang.org/[email protected]/server.go:1376 +0xdd2
google.golang.org/grpc.(*Server).handleStream(0xc0001ff2c0, {0x1db6d00, 0xc00008d380}, 0xc000aeab40, 0x0)
        google.golang.org/[email protected]/server.go:1753 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:998 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:996 +0x18c

Error: The terraform-provider-snowflake_v0.75.0.exe plugin crashed!

N.B: second try did the same result

Provider version: 0.76.0

This seems to work... 👍

So will you fix this in a future 0.7[4|5|6].x version to avoid us to set authenticator to "JWT" ?

@sfc-gh-asawicki
Copy link
Collaborator

Okay, thanks for the quick response @remi-f-artelia. This confirms my suspicions. There was a fix between v0.75.0 and v0.76.0 - #2170 which solved the panic which you attached above for v0.75.0.

Please for now use the authenticator workaround. We will have an internal discussion on how we would like to proceed with its optionality, and what should be the provider's behavior when it is not provided. We wanted to be aligned as much as possible with the driver so that we support the same config options.

Ideally, we would release 0.7[4|5|6].x versions as you suggested but because we are in an experimental phase, we are not supporting all the versions of the provider with the backward bug fixes. This will change from v1.0.0. For now, we always encourage you to use the newest version (I apologize that the latest three versions were not stable).

@attekei attekei mentioned this issue Nov 20, 2023
Closed
@JKDSB
Copy link

JKDSB commented Nov 28, 2023

authenticator = "JWT"

thank you very much this temp fix worked

@sfc-gh-asawicki sfc-gh-asawicki mentioned this issue Dec 11, 2023
Closed
@sfc-gh-asawicki sfc-gh-asawicki mentioned this issue Dec 20, 2023
Closed
@kalinon kalinon mentioned this issue Dec 26, 2023
Closed
@axthosarouris
Copy link

authenticator = "JWT"

Since this fix is working, shouldn't it be mentioned in the documentation? It is quite a long time that this bug exists and it prevents people from using private keys when using the latest version.

@sfc-gh-asawicki sfc-gh-asawicki mentioned this issue Jan 12, 2024
Merged
@sfc-gh-asawicki
Copy link
Collaborator

Hey @axthosarouris. Will be added in #2345.

sfc-gh-asawicki added a commit that referenced this issue Jan 16, 2024
@sfc-gh-asawicki
docs: Add missing authenticator change to migration guide and the docs (
bd72c05 
#2345)

Adds setting `authenticator` to `JWT` explicitly to the docs and
migration guide.
Check:
#2169 (comment)
and
#2169 (comment).
@srivya srivya mentioned this issue Feb 12, 2024
Closed
@johndutchover
Copy link

I was working on this for some practice and thought I would post what is working.

zsh ➜ terraform version
Terraform v1.7.4
on darwin_arm64
+ provider registry.terraform.io/snowflake-labs/snowflake v0.87.0

Provider version: 0.87.0

My provider block looks like this:

provider "snowflake" {
  user                   = var.snowflake_tf_user
  account                = var.snowflake_account
  private_key            = file(var.snowflake_tf_user_pke_path)
  private_key_passphrase = var.snowflake_tf_user_pke_pass
  role                   = var.snowflake_tf_user_role
  authenticator          = var.snowflake_tf_user_authenticator

and variables.tf with:

variable "snowflake_tf_user" {
  type = string
}
variable "snowflake_account" {
  type = string
}
variable "snowflake_tf_user_pke_path" {
  type = string
}
variable "snowflake_tf_user_pke_pass" {
  type = string
}
variable "snowflake_tf_user_role" {
  type = string
}
variable "snowflake_tf_user_authenticator" {
  type = string
}

My (redacted) terraform.tfvars file looks like:

snowflake_tf_user               = "username"
snowflake_account               = "<orgname-account_name>"
snowflake_tf_user_role          = "ROLE"
snowflake_tf_user_authenticator = "JWT"
snowflake_tf_user_pke_path      = "path_to_.p8"
snowflake_tf_user_pke_pass      = "passphrase"

Using an Account Name as an Identifier is a handy reference for the snowflake_account format.

@sfc-gh-asawicki
Copy link
Collaborator

I will close this issue because the documentation was updated and the configuration works as expected.

@sfc-gh-jmichalak sfc-gh-jmichalak mentioned this issue Sep 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to mark issues with provider's incorrect behavior category:provider_config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests