[SNOW-89] Update authentication policy for service accounts #146
Conversation
|
| ALTER ACCOUNT SET CORTEX_ENABLED_CROSS_REGION = 'ANY_REGION'; | ||
|
|
||
| ALTER AUTHENTICATION POLICY service_account_authentication_policy | ||
| AUTHENTICATION_METHODS = ('PASSWORD', 'KEYPAIR'); |
There was a problem hiding this comment.
This is surprising. I thought the whole premise around service type accounts was that it only allowed keypair auth...
There was a problem hiding this comment.
@thomasyu888 That's correct. If the user type is "SERVICE" then you can only authenticate via key-pair. That doesn't mean that user gets a free pass from the existing authentication policies to authenticate using key-pair.
There was a problem hiding this comment.
This alteration makes it so that we can access our service account via a password too, is that correct? Are we doing key-pair or password when GitHub logs into these accounts for CI/CD?
|
I'm modifying a preexisting authentication policy, so "PASSWORD" is included for backward compatibility. We can remove it once we officially remove support for those other service accounts/users (including thomasyu888, the service user which currently executes our CI pipeline). ADMIN_SERVICE and DEVELOPER_SERVICE will only ever authenticate via key-pair authentication (they must, since they were created specifically as "SERVICE" type accounts). |
How a user is allowed to authenticate is regulated by authentication policies. This PR alters our existing authentication policy for service accounts by additionally allowing key-pair authentication. I also correct a typo in the
integrations.sqlfile.