Skip to content

add MFA authentication support to snowflake integration #2305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add MFA authentication support to snowflake integration #2305

wants to merge 1 commit into from

Conversation

ChinmayBansal
Copy link
Contributor

Related Issues

Proposed Changes:

This PR implements multi-factor authentication (MFA) support for the Snowflake
integration to address Snowflake's enhanced security requirements that mandate
MFA for connections. The implementation adds non-interactive authentication
methods while maintaining full backward compatibility.

Key Features Added:

  • Key-pair JWT Authentication (SNOWFLAKE_JWT) that supports:
    • Pre-configured private key file paths via private_key_file parameter
    • Private key passphrases via private_key_file_pwd parameter
    • JWT-based authentication without user interaction prompts
  • OAuth 2.0 Authentication (OAUTH) supporting:
    • Client Credentials flow with oauth_client_id and oauth_client_secret
    • Configurable token request URLs via oauth_token_request_url
    • Authorization URLs via oauth_authorization_url for future extensibility
  • Enhanced Security Features:
    • Credential masking in URI logging via _create_masked_uri() method
    • Secure handling of all sensitive data using Haystack's Secret class
    • Comprehensive parameter validation with clear error messages
  • Non-interactive Design: All authentication credentials sourced from
    environment variables, eliminating user prompts as specifically requested
  • Backward Compatibility: Existing password-based authentication (SNOWFLAKE)
    remains unchanged with no breaking changes

How did you test it?

  • Unit Tests: Added comprehensive test suite with 11 new test cases (36 total
    tests passing)
    • Code Quality: hatch run fmt and hatch run test:types both pass
    • Security Testing: Verified credential masking in logs
    • Manual verification: Tested all authentication methods and parameter
      validation

Notes for the reviewer

  • The core authentication logic is in _snowflake_uri_constructor() method
    (lines ~257-301)
    • Parameter validation logic is centralized in _validate_auth_params() method
      (lines ~152-185)
    • Security enhancement via _create_masked_uri() method (lines ~303-329) ensures
      sensitive data never appears in logs
    • The implementation specifically addresses the "no user authentication
      prompts" requirement

Checklist

@ChinmayBansal ChinmayBansal requested a review from a team as a code owner September 23, 2025 17:48
@ChinmayBansal ChinmayBansal requested review from sjrl and removed request for a team September 23, 2025 17:48
@github-actions github-actions bot added integration:snowflake type:documentation Improvements or additions to documentation labels Sep 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjrl sjrl Awaiting requested review from sjrl sjrl is a code owner automatically assigned from deepset-ai/open-source-engineering

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
integration:snowflake type:documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update: update Snowflake integration to support MFA
1 participant
@ChinmayBansal