[Docs]: Misleading example of SNOWFLAKE_PRIVATE_KEY

[martinw-intersport]

Company Name

No response

Object type(s)

No response

Documentation Link

https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/index.md

Description

In section #keypair-authentication-passphrase and #order-precedence mentioned example to assign SNOWFLAKE_PRIVATE_KEY with private key path, like

export SNOWFLAKE_USER="..."
export SNOWFLAKE_PRIVATE_KEY="~/.ssh/snowflake_key.p8"
export SNOWFLAKE_PRIVATE_KEY_PASSPHRASE="..."

Instead the SNOWFLAKE_PRIVATE_KEY accepts file content, and there's no way to pass in file path directly to snowflake provider.

References

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @martinw-intersport 👋

You're right - the example is misleading. We will adjust this soon. You should be able to load the contents of your key file like this:

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8)

[martinw-intersport]

Hi @sfc-gh-jmichalak,

thanks for your reply! I still get following error when i set through env var SNOWFLAKE_PRIVATE_KEY

  │ Error: could not retrieve private key: could not parse private key, key is not in PEM format
  │ 
  │   with provider["registry.terraform.io/snowflake-labs/snowflake"].accountadmin,
  │   on main.tf line 1, in provider "snowflake":
  │    1: provider "snowflake" {
  │ 

and when I run echo "$SNOWFLAKE_PRIVATE_KEY", it outputs correct file content. Is that because provider cannot load multiline file?

[sfc-gh-jmichalak]

Probably the key is not formatted correctly. Please take a look at similar issues: #2899 and #2432. We don't do any processing on the file, we just pass it straight to the gosnowflake driver - see #2899 (comment).

[martinw-intersport]

@sfc-gh-jmichalak The file is correctly formatted, at least when i use file("~/.ssh/snowflake_key.p8") it works.

But this command does not work as i said before (does this work on your side?)

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8)

Regarding this #2899 (comment), it can be passed through on my side when env set using above command. So not due to pem.Decode

I have tried many ways, including:

• Set ssh key content as one line local variable like
  locals ssh_content = "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n to pass into schema private_key, it can be recongized by provider.
• But if set ssh key content like this oneline string and then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8) it doesn't work
• Directly export SNOWFLAKE_PRIVATE_KEY="ssh oneline string" it works
• Wrap ssh key content with <<EOT and EOT then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8) it works

It seems there was an issue transferring the content from the SSH file to the environment variables. So your commit c7e463d about SNOWFLAKE_PRIVATE_KEY might still not work for others.

It will be good like snowflake cli to set private_key_file as file path, then we don't have to struggle with multiline string parameter. I know in gosnowflake haven't implement it, but snowflake provider can accept file path and load content by itself to pass to Config.PrivateKey

[sfc-gh-jmichalak]

I checked again, and it is working on my side. I checked multiple ways:

• key embedded in main.tf
• key sourced from a file with file() function
• key set like

export SNOWFLAKE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAr1xap9HA6Anx
...
qXcroyYiKfMLzlt+WYqk4qs5
-----END PRIVATE KEY-----"

• key set like

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/key.p8)"

Note that I did not process the key/file in any way. It is a multiline key. To convert a singleline key to a multiline key, you can change encoded new lines \n to line breaks like sed 's/\\n/\'$'\n/g'.

Regarding a separate field - actually, we had private_key_path before, but it was deprecated in favor of using private_key with TF or shell capabilities, and it was removed in v1.

[martinw-intersport]

Hi @sfc-gh-jmichalak,

i found the reason behind, I use the command openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt from snowflake to generate the private key. And the private key has the empty line at the end, after I remove that line, then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/key.p8" works. (I'm not expert in bash, don't know how to solve with sed)

Just to clarify the background we have, so in our team we want to find the one stop solution (like all set in .env or tfvar or toml file) that each member can set up their own different snowflake connection in provider. So hard coding like following does not work and not safe.

• key embedded in main.tf
• key sourced from a file with file() function

And we want the private_key_passphrase to be asked and input from terminal instead of saving in file (just leave the variable unset).

Also this statement in README file

terraform-provider-snowflake/docs/index.md

Line 266 in 61ee1bd

Not all fields must be configured in one source; users can choose which fields are configured in which source.

is not correct, when i set private_key content in toml and passphrase as terraform variable, these two fields needs to set in one place.

So as I said before, there's no solution in our mind to set all snowflake connection in one-stop without having private_key_path now.

[martinw-intersport]

Hi @sfc-gh-jmichalak,

why this issue has been closed? Could you explain here how we should proceed?

[sfc-gh-jmichalak]

Hi @martinw-intersport, I'm sorry, it has been closed by some Github automation :(

It's true that private_key and private_key_passphrase can't be read from 2 different sources - this is a mistake on our end. However, I think you should be able to set them both in main.tf, with usage of TF variables. These variables can be overridden during terraform apply, so the passphrase would be passed during command execution instead of being stored in a file. I will get back to you with a more concrete example.

[Bryan-Meier]

Hopefully this helps others. I found that an easy way to get around some of the issues if you have the key as a string and are following best practices to not store the key in your code, you can create a Terraform Variable for the key contents and another for the passphrase. Then, pass the key variable in as a base64 encoded value. At this point the key is in fact a single line. Then in your provider config when you go to set the private_key attribute, you will base64decode the key.

This is particularly useful for those of us leveraging cloud Terraform platforms like Env0 and Spacelift.

Again, I hope it helps for now until a better solution can be developed.

[sfc-gh-jmichalak]

The most generic configuration can look like this:

variable "private_key" {
  type      = string
  sensitive = true
}
variable "private_key_passphrase" {
  type      = string
  sensitive = true
}
provider "snowflake" {
  ...
  authenticator = "SNOWFLAKE_JWT"
  private_key            = var.private_key
  private_key_passphrase = var.private_key_passphrase
}

You can now provide these values in multiple ways:

• If these variables don't have any value set, you will be prompted by Terraform to provide these.
• If you want to provide them before, you can do it like:
  • Use Terraform VAR environment variables: TF_VAR_private_key="<key>" terraform plan
  • Use Terraform flags: terraform plan -var="private_key=<key>"
  • Use Snowflake Terraform Provider flags: SNOWFLAKE_PRIVATE_KEY="<key>" terraform plan
  • You can also load the variables from the tfvars file like terraform apply -var-file="config.tfvars", but this does not support the file function.
  • Use the default field of the variables - for the key, you can additionally use the file function, as described in the comments above.

These approaches can be mixed for different variables here. We don't need to hardcode any value here.

[martinw-intersport]

@sfc-gh-jmichalak Thanks for your answer that shows comprehensive ways to handle this.

We end up using file function to dynamically load private key from different colleagues. And leave var private_key_passphrase value empty to let terraform prompt it.