-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility of adding snowflake key-pair authentication? #25
Comments
Hi @koffemaria2u, Thanks! I see that key-pair authentication seems to be implemented in At the same time, there is a ticket in Github, according to which you need to specify the connection string with a set of parameters: snowflakedb/gosnowflake#302 It might work for you. Could you try it out and let me know if there is an issue with it? 😃 |
@burningalchemist - somehow I missed this part on their repo, thanks for the heads up! I will try setting this up and get back to you. |
Hi @burningalchemist - quick update, I do think it's possible as well. However I can't seem to put together the proper connection string to make it work. I've tried the following (among other combinations) based on the doc examples but mostly getting "260001: user is empty" error. I'm aIso wondering if this particular error could be misleading as well, where it's actually not a missing user. But not too sure.
|
Hi @koffemaria2u! Hmmm, ok let's dig further. Could you provide more details? I don't know exactly what I'd like to know, but maybe some ideas:
From the link I previously shared, developers mention that:
The key in Currently, I think that since But yeah, please provide what you think might be useful except sensitive data, and let's see. |
For some context, I am using AWS Secrets Manager to store the private key, and using konfd to generate a kubernetes This is how I build the connection string: I don't see why a password is needed in the string when we are already supplying the private key. But when I don't include password, it looks for a password with error# 260002. There are two main log errors that I see. This usually occurs when I supply the private key with line breaks ( Supplying the private key via |
@koffemaria2u This is decent, thank you! 👍 Seems like it's a good field for the experiments. 😃 I've checked the docs, where they constantly mention that the private key should be Could you make sure that the public key follows the same transformation? :) Maybe you could also request from the Snowflake side, why the authentication might be invalid? They might have some internal logs. One last idea for today is to pick this example from the official repo, and try to connect to the instance directly. If it works, it might be easier to debug and find a root cause. The example needs some adjustment, but I can help with that. In the meantime I'm going to check how to spin up a simple snowflake instance, so I could try it, too. |
@burningalchemist unfortunately, I'm unable to set a non-base64 public key on the snowflake user side. There is a policy that only takes proper formatted public keys. I'm also now in contact with some snowflake reps/engineers to see if they are able to check some internal logs. I will post an update of their findings once I get any. Can you elaborate on connecting to the instance directly using the example link mentioned? |
@koffemaria2u yes, will do shortly. 👍 |
@koffemaria2u that's actually good. As per documentation we need to provide base64-encoded keys on the both sides. I just wanted to make sure you do so, and use As for the example link above, it's a simple select query and it might be useful to try to connect to the database instance without any sql_exporter specifics. Currently, it only expects username and password parameters, but it's not difficult to change it and provide the private key instead. This might help to debug the connection process in an isolated manner. Please let me know about Snowflake's feedback with regards to the error you observe. I'm eager to make it work with sql_exporter. 👍 |
@burningalchemist Hmm... I wonder how would it be possible to apply base-64 encoded public key on the snowflake username side, if there are requirements it must match? It's failing for me to add base-64 encoded, only non-encoded works. No response yet from Snowflake reps. |
@koffemaria2u could be related, as that's what mentioned in the docs. Might be a bug or something. Let's see what they say. How difficult for me would it be to recreate the environment you have? If you could provide some steps, I would pick a trial account to debug as well. |
@burningalchemist I don't believe it's necessary to recreate my current env, it will just add more complexity. All we have to do is figure out the proper connection string format to pass to snowflake db. You can setup an instance of your sql-exporter on k8s or docker for example, and pass a hardcoded conn string via your On the snowflake side, it's pretty simple to setup a user for key pair auth. |
@koffemaria2u sure, I meant the Snowflake environment. 👍 Cool, I'll take a look. |
@koffemaria2u It seems I managed to connect with SNOWFLAKE_JWT properly. I'll share my findings tomorrow morning. 👍 |
@koffemaria2u I'm going to share the steps I made with regards to key generation and connection DSN, etc:
I think in the case of DSN it doesn't matter, but this worked for me. Initially I had the same errors as you. |
@burningalchemist amazing, this works! Thank you so much for your help! Lessons learned:
My working DSN ended up looking like: |
@koffemaria2u I'm also preparing a new documentation page, so I'll include proper configuration for Snowflake as well. Thanks for collaboration! 👍 |
Hi - I'm researching as part of a POC, appreciate the forking from orig free/sql_exporter to add snowflake support!
Like the title states, wondering if this is a possible enhancement as noted in the snowflake docs.
The text was updated successfully, but these errors were encountered: