-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-975540: Conflict between the project and Snowflake driver Google SDKs with ADC (Application Default Credentials) #705
Comments
hi and thank you for submitting this issue - also especially for the detailed reproduction scenario ! Managed to reproduce the same issue, so we'll take a look how the driver could handle this situation better. This issue will be updated with the progress. As a workaround, unsetting the envvar inside the process' context with something like if (process.env.GOOGLE_APPLICATION_CREDENTIALS) {
delete process.env.GOOGLE_APPLICATION_CREDENTIALS;
} worked for me during the reproduction; maybe it's not so simple in a 'live' environment but perhaps helps. Anyways we're taking a look. |
The google credentials may be also read from the configuration file |
as mentioned in the support case: there might be several workarounds; one of which is unsetting the envvar perhaps inside a wrapper which is around the I'll keep this issue posted with the new information as the investigation / fix effort progresses. Thank you for bearing with us ! |
Just sharing here for the record, this obviously is also taking into account google metadata server auth as a third way of authentication for google libraries using ADC. |
Any estimate of when this might be fixed? Thanks |
unfortunately no ETTR available at the moment of writing, but will keep this thread posted. |
thank you for your patience on the matter ! PR #754 is ready for review and it seems to work in our internal tests. However since we probably don't have the exact environment and settings as you have, if it would be possible, i think it might be a good idea to check out the fix branch https://github.com/snowflakedb/snowflake-connector-nodejs/tree/gcpoperationerror and see if it resolves the error for you too . Let us know please if you had a chance to test and whether it helped. |
hey @pharturs @naira-petrosyan-m thank you for taking the time to test the fix proposal, and also for the comments on the PR, really appreciated ! As a summary, there are three different auths,
and we only considered the first authentication, which was resolved with the PR. According to the dev team investigation, the Google storage library ignored the storage client created by the connector if there are prioritized auth methods on the machine. This is to say that the reason why you faced the result not found error is that the Google storage library sent the query request not to the GCP on the Snowflake server, but to the GCP server of which the credential was saved on your machine. At this point, it would be really useful for us to have the reproduction steps for the second and the third part. It seems like there are many ways to use the config file etc) save the config data in the package.json or using config modules, and at this point it's not sure how you use the Google meta server. Do you think it would be possible to provide us with steps/setup for reproducing the remaining issue? |
@sfc-gh-dszmolka we have created a small script that could help to reproduce both issues we have found in the fix. Here is a link to the package https://github.com/naira-petrosyan-m/snowflake-issue. Please follow the readme for reproducing 2 issues with different setups. Thank you. |
excellent, thank you so much !! really appreciated. we'll take a look. |
Hello, I can see there is some progress being made on this, I wondered is it possible yet to estimate how soon it might be resolved, even roughly? Many Thanks |
hi - indeed we're actively working on this; you can follow the above PR for the current progress. Can't really estimate how much long it takes, unfortunately there are multiple moving parts. Thank you for bearing with us ! |
I see the PR has been now merged, so the fix will now be released with the next upcoming driver version in the coming days. Thank you very much again for your contribution ! |
fix released with snowflake-sdk 1.10.0, closing this issue |
For anyone experiencing this problem in some of the cases they didn't address yet, this may help you: Snowflake-sdk patch to fix #705 when using application_default_credentials.json |
Since version 1.6.21 Snowflake SDK (NodeJS) is using google-sdk/storage to upload files to GCS when using PUT command.
This works correctly unless the Snowflake SDK is invoked from an environment where google-sdk/storage is already in use and is authenticated using GOOGLE_APPLICATION_CREDENTIALS environment variable.
These credentials take priority over the GCS_ACCESS_TOKEN kept in my Snowflake account. So when the SDK tries to upload file, it will attempt uploading to the incorrect storage.
This must be affecting all the customers using GCP as their provider.
To reproduce:
Observe an error where the PUT command will fail since it's got no rights to upload to the private GCP account. Something like following:
"Unable to upload file. Error: Error: [email protected] does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist)"
The text was updated successfully, but these errors were encountered: