vault

Announcing the Snowflake Secrets Engine

The new Snowflake database secrets engine for Vault supports static and dynamic roles as well as root credential rotation.

As part of our recent release of Vault 1.7 and general availability launch of HCP Vault, we are excited to announce the Snowflake Secrets Engine for self-managed HashiCorp Vault and HCP Vault. The secrets engine is packaged as part of the general database secrets engine and supports root credential rotation as well as dynamic and static roles (these are not to be confused with roles in Snowflake such as accountadmin).

»What is Vault?

HashiCorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

With the HashiCorp Cloud Platform (HCP) Vault managed service, organizations can get up and running quickly, providing immediate access to Vault’s best-in-class secrets management and encryption capabilities while also offloading resilience and operational management concerns to HashiCorp.

»What Are Dynamic Secrets? Why Use Them?

Today most organizations utilize static secrets. These are defined ahead of time and shared between many clients and can be long-lived. A dynamic secret is generated on demand and is unique to a client. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. By leveraging just-in-time ephemeral credentials, organizations are able to dramatically reduce the blast radius in case of credential leakage. Vault takes over the operational burden of managing credential lifecycle by renewing or revoking credentials as needed.

»What is Snowflake?

Snowflake delivers the Data Cloud, a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the Data Cloud.

With HCP Vault being generally available, Snowflake customers can take advantage of a managed service offering that aligns with the deployment model they are used to.

»The Snowflake Database Secrets Engine

As mentioned, the database secrets engine supports static and dynamic roles as well as root credential rotation. For both static and dynamic roles, the Snowflake secrets engine supports the setting of default password policies so the generated passwords will meet an organization's password requirements.

»Example Snowflake Use Cases

While many Snowflake customers may have single sign-on (SSO) set up for end users, they may still have some passwords to manage in Snowflake. This plugin can manage the lifecycle and access to those passwords with HashiCorp Vault.

Root accountadmin user: Customers will want at least one user with an accountadmin role in Snowflake that can authenticate using a username and password in Snowflake. This user is required to fix SSO issues. Since this is a privileged user with the highest level of access, the password of this user needs to be protected. Vault can be used to manage this password and rotate it on demand in regular intervals.

Service user accounts: Snowflake users may have ETL and other automation tools that connect to Snowflake using a service account user. If these tools support username and password authentication only, then Vault can be used to generate dynamic, short-lived credentials for these service user accounts.

»Setup

Configure Vault with the proper plugin and connection information. Note: A properly formatted data source name (DSN) must be provided during configuration of the database (e.g. {{username}}:{{password}}@account/db_name).

$ vault write database/static-roles/my-static-role \
        plugin_name=snowflake-database-plugin \
        allowed_roles="my-role" \ 
        connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \
        username="vaultuser" \
        password="vaultpass"
$ vault write database/static-roles/my-static-role \        plugin_name=snowflake-database-plugin \        allowed_roles="my-role" \         connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \        username="vaultuser" \        password="vaultpass"

»Static Roles

Static roles are a 1-to-1 mapping of Vault Roles to usernames in Snowflake. The current password for the database user is stored and automatically rotated by Vault on a configurable period of time.

$vault write database/static-roles/my-static-role \
    db_name="my-snowflake-database" \
    username="my-existing-snowflake-user" \
    rotation_period=5m

    $ vault read database/static-creds/my-static-role
    Key                    Value
    ---                    -----
    last_vault_rotation    2020-08-07T16:50:48.393354+01:00
    password               Z4-KH8F-VK5VJc0hSkXQ
    rotation_period        5m
    ttl                    4m39s
    username               my-existing-snowflake-user
$vault write database/static-roles/my-static-role \    db_name="my-snowflake-database" \    username="my-existing-snowflake-user" \    rotation_period=5m     $ vault read database/static-creds/my-static-role    Key                    Value    ---                    -----    last_vault_rotation    2020-08-07T16:50:48.393354+01:00    password               Z4-KH8F-VK5VJc0hSkXQ    rotation_period        5m    ttl                    4m39s    username               my-existing-snowflake-user

»Dynamic Roles

For dynamic roles, operators create a role in Vault that is mapped to a Snowflake role. When a credential request comes in from a client, Vault dynamically generates a unique username and password pair in Snowflake and automatically associates it with the corresponding role. Vault returns the credentials to the client. Once the lease expires, Vault automatically drops the user from Snowflake.

$vault write database/roles/my-dynamic-role \
    db_name=my-snowflake-database \
        creation_statements="CREATE USER {{name}} 
        PASSWORD = '{{password}}' 
        DEFAULT_ROLE=myrole; 
        GRANT ROLE myrole TO USER {{name}};" \ 
        default_ttl=1m  max_ttl=24h

    $ vault read database/creds/my-dynamic-role
    Key                Value
    ---                -----
    lease_id           database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz
    lease_duration     24h
    lease_renewable    true
    password           mhyM-Gs7IpmOPnSqXEDe
    username           v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027
$vault write database/roles/my-dynamic-role \    db_name=my-snowflake-database \        creation_statements="CREATE USER {{name}}         PASSWORD = '{{password}}'         DEFAULT_ROLE=myrole;         GRANT ROLE myrole TO USER {{name}};" \         default_ttl=1m  max_ttl=24h     $ vault read database/creds/my-dynamic-role    Key                Value    ---                -----    lease_id           database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz    lease_duration     24h    lease_renewable    true    password           mhyM-Gs7IpmOPnSqXEDe    username           v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027

»Root Credential Rotation

Since Vault is managing the database credentials on behalf of the database administrator, it needs a set of highly privileged credentials that can create and delete users in the database system. Therefore, it is very common to give Vault a set of root credentials. However, these credentials are often long-lived and never change once configured on Vault. This may violate the governance, risk, and compliance (GRC) policies surrounding that data stored in the database. Vault is able to rotate the root credentials stored for the Snowflake database connection. Once the root credential has been rotated, only Vault knows the new password.

»Next Steps

The Snowflake Secrets Engine is packaged as part of the Database Secrets Engine plugin. This plugin is available with all versions of Vault. Step-by-step instructions on how to use the secrets engine are available in the Vault documentation, and you can try it out right now with HCP Vault.

Sign up for the latest HashiCorp news