[Docs]: Misleading example of SNOWFLAKE_PRIVATE_KEY

[martinw-intersport]

Company Name

No response

Object type(s)

No response

Documentation Link

https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/index.md

Description

In section #keypair-authentication-passphrase and #order-precedence mentioned example to assign SNOWFLAKE_PRIVATE_KEY with private key path, like

export SNOWFLAKE_USER="..."
export SNOWFLAKE_PRIVATE_KEY="~/.ssh/snowflake_key.p8"
export SNOWFLAKE_PRIVATE_KEY_PASSPHRASE="..."

Instead the SNOWFLAKE_PRIVATE_KEY accepts file content, and there's no way to pass in file path directly to snowflake provider.

References

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @martinw-intersport 👋

You're right - the example is misleading. We will adjust this soon. You should be able to load the contents of your key file like this:

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8)

[martinw-intersport]

Hi @sfc-gh-jmichalak,

thanks for your reply! I still get following error when i set through env var SNOWFLAKE_PRIVATE_KEY

  │ Error: could not retrieve private key: could not parse private key, key is not in PEM format
  │ 
  │   with provider["registry.terraform.io/snowflake-labs/snowflake"].accountadmin,
  │   on main.tf line 1, in provider "snowflake":
  │    1: provider "snowflake" {
  │ 

and when I run echo "$SNOWFLAKE_PRIVATE_KEY", it outputs correct file content. Is that because provider cannot load multiline file?

[sfc-gh-jmichalak]

Probably the key is not formatted correctly. Please take a look at similar issues: #2899 and #2432. We don't do any processing on the file, we just pass it straight to the gosnowflake driver - see #2899 (comment).

[martinw-intersport]

@sfc-gh-jmichalak The file is correctly formatted, at least when i use file("~/.ssh/snowflake_key.p8") it works.

But this command does not work as i said before (does this work on your side?)

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8)

Regarding this #2899 (comment), it can be passed through on my side when env set using above command. So not due to pem.Decode

I have tried many ways, including:

• Set ssh key content as one line local variable like
  locals ssh_content = "-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n to pass into schema private_key, it can be recongized by provider.
• But if set ssh key content like this oneline string and then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8) it doesn't work
• Directly export SNOWFLAKE_PRIVATE_KEY="ssh oneline string" it works
• Wrap ssh key content with <<EOT and EOT then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/snowflake_key.p8) it works

It seems there was an issue transferring the content from the SSH file to the environment variables. So your commit c7e463d about SNOWFLAKE_PRIVATE_KEY might still not work for others.

It will be good like snowflake cli to set private_key_file as file path, then we don't have to struggle with multiline string parameter. I know in gosnowflake haven't implement it, but snowflake provider can accept file path and load content by itself to pass to Config.PrivateKey

[sfc-gh-jmichalak]

I checked again, and it is working on my side. I checked multiple ways:

• key embedded in main.tf
• key sourced from a file with file() function
• key set like

export SNOWFLAKE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAr1xap9HA6Anx
...
qXcroyYiKfMLzlt+WYqk4qs5
-----END PRIVATE KEY-----"

• key set like

export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/key.p8)"

Note that I did not process the key/file in any way. It is a multiline key. To convert a singleline key to a multiline key, you can change encoded new lines \n to line breaks like sed 's/\\n/\'$'\n/g'.

Regarding a separate field - actually, we had private_key_path before, but it was deprecated in favor of using private_key with TF or shell capabilities, and it was removed in v1.

[martinw-intersport]

Hi @sfc-gh-jmichalak,

i found the reason behind, I use the command openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt from snowflake to generate the private key. And the private key has the empty line at the end, after I remove that line, then export SNOWFLAKE_PRIVATE_KEY=$(cat ~/.ssh/key.p8" works. (I'm not expert in bash, don't know how to solve with sed)

Just to clarify the background we have, so in our team we want to find the one stop solution (like all set in .env or tfvar or toml file) that each member can set up their own different snowflake connection in provider. So hard coding like following does not work and not safe.

• key embedded in main.tf
• key sourced from a file with file() function

And we want the private_key_passphrase to be asked and input from terminal instead of saving in file (just leave the variable unset).

Also this statement in README file

terraform-provider-snowflake/docs/index.md

Line 266 in 61ee1bd

Not all fields must be configured in one source; users can choose which fields are configured in which source.

is not correct, when i set private_key content in toml and passphrase as terraform variable, these two fields needs to set in one place.

So as I said before, there's no solution in our mind to set all snowflake connection in one-stop without having private_key_path now.