-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-676645: Add connector support for keypair authentication using hardware security modules or cloud key managers #1276
Comments
@arsatiki any update on this? I see that in the current codebase, authentication is locked down to an internal set of classes so this |
In the Java JDBC driver, there's a similar issue. There's a pull request open for that issue, with a very similar interface: /** Interface for customer signer implementations for key pair authentication. */
public interface PrivateKeySigner {
/**
* Returns a signature for the given input.
*
* <p>The signature must be compatible with the "RS256" JWT signing algorithm, a.k.a.
* "RSASSA-PKCS1-v1_5 using SHA-256"
*/
byte[] sign(byte[] input);
/** Returns the public key associated with the private key used by the sign() method. */
PublicKey publicKey();
} @arsatiki perhaps using the term |
Hello! Unfortunately I've been doing network and security related stuff for the past few months and haven't had time to do the necessary clean up. But if you are interested in the code I can publish the work-in-progress code |
Please do @arsatiki – I should be able to clean it up and finish it. |
An alternative interface would be to allow specifying an external program to be responsible for providing the JWT token. This would also enable the use of HSM- or cloud-based key managers for the SnowSQL CLI. |
Thanks @malthe for posting a sample implementation for Azure. It helped me implement similar approach for AWS KMS. I am posting my example here in case if it helps anyone.
|
What is the current behavior?
Current Snowflake keypair authentication requires that the user has the private key in their possession as a file. However, Hardware Security Modules (e.g. Smartcards, Yubikeys, …) and Cloud Key Managers do not expose the private key to the user. Instead, they provide cryptographic operations as API functionality. I can, for example, ask the HSM to sign a certain string using the private key.
What is the desired behavior?
I would like to be able to use any cryptographic device or service capable of RSA-signatures for keypair authentication. More specifically, I want an interface against which I can implement my custom signing flow.
How would this improve
snowflake-connector-python
?It would provide more options for secure logins. In our case, we would use Azure Key Vault to store keys and allow services with Managed Identity to read those keys. This lets our service accounts log in without exposing passwords or private keys at any phase.
References, Other Background
As a proof of concept, I have implemented a version of keypair authentication that abstracts signing and public key operations into a separate class. An instance of this class can be provided to the Snowflake connector to sign the token.
Here's an example. I will provide a full pull request soon.
Please note that this approach would not add new dependencies into the connector. The user of the connector library is responsible for providing the class, customized to their particular usecase.
The text was updated successfully, but these errors were encountered: