Connection Caching For External Browser Auth

[DustinMoriarty]

Is your feature request related to a problem? Please describe.

While using the snowflake provider with externalbrowser authentication, hundreds of tabs are opened in the browser as it re-authenticates for every resource. This makes the provider very hard to use with externalbrowser authentication.

Describe the solution you'd like

Connection caching is now supported by gosnowflake. snowflakedb/gosnowflake#486
We need to determine what additional work is needed to get it to work with terraform.

Describe alternatives you've considered

The alternative is to either accept very slow performance and the provider taking over my browser for the entire time of an apply due to opening many tabs or to use another form of authorization. For companies where SSO or MFA is required for human users, using other authorization is not an option.

Additional context

Terraform Version: 1.4.1
Provider Version: 0.61.0
OS Version: MacOS 13.3

[kallangerard]

+1 to this. Human users should definitely not be using Private Keys and Passwords, so without Terraform Cloud there's no compliant way to perform operations from local.

[fh-dustin-winslow]

+1 I'm having the same issue, our team is having to do all operations via CI - can't do anything from local without connection caching.

[DustinMoriarty]

@kallangerard and @fh-dustin-winslow : thank you for the bump. The best way to get priority for these tickets is to raise a support ticket within snowflake. Of course submitting a PR is even better. However, my Go skills are pretty basic so I have yet to contribute to this repo.

[jcourteau]

@DustinMoriarty I took a stab at this here - #1913. I'm actually not sure why this wasn't auto-enabled on non-Linux platforms, my read of the code is that it should have worked but clearly it didn't.

Note that you need to explicitly enable ID token support on the Snowflake account, using ACCOUNTADMINISTRATOR.

[DustinMoriarty]

@jcourteau : Fantastic! Thanks for taking this on!

[thomas-tomlinson]

We've been banging our heads against this for a while too and I finally found the real cause. It appears the go compile method used to produce the darwin OS builds lacks the keychain bits needed. It's due to the way the keyring project (github.com/99designs/keyring) builds in what I'm assuming is either a cross compile or docker based image that lacks the necessary keychain includes. Since that is not present in the resulting binaries, the keyring falls back to the file based method, which generates error messages like this from a debug logging in a terraform run (I did this by setting the debug log level for the underlying go snowflake driver)

024-01-30T16:16:19.395-0700 [DEBUG] provider.terraform-provider-snowflake_v0.84.1: time="2024-01-30T16:16:19-07:00" level=debug msg="Failed to find the item in keychain or item does not exist. Error: No directory provided for file keyring" func="gosnowflake.(*defaultLogger).Debugf" file="log.go:148"
2024-01-30T16:16:22.153-0700 [DEBUG] provider.terraform-provider-snowflake_v0.84.1: time="2024-01-30T16:16:22-07:00" level=debug msg="Failed to write to keychain. Err: No directory provided for file keyring" func="gosnowflake.(*defaultLogger).Debugf" file="log.go:148" 

that's what lead me to the keyring package, as those error messages are only found it's file based implementation.

I compiled the latest tag, 0.84.1 on my Mac with Xcode and low and behold, my ExternalBrowser auth prompted me for keychain access to make an entry and properly used that value for what would normally have opened about 35 browser auth tabs.

from this issue on the keyring project (99designs/keyring#78) this repo probably isn't the only one experiencing this issue. We either need to compile the darwin builds on a real osx host, or get the cross compile options to work correctly and support the keychain bits.

[sadahry]

probably due to this fix #2613 , this issue has been resolved after 0.87.3-pre version!

related: #2047 (comment)

[sfc-gh-asawicki]

Hey @DustinMoriarty, @kallangerard, @fh-dustin-winslow, @jcourteau, @thomas-tomlinson. Could you please verify and confirm that a prerelease version 0.87.3-pre works for you? I want to release this patch as part of the 0.88.0 version officially, but first, I want to confirm that it works for various systems, so please add the OS version used.

[thomas-tomlinson]

Hey @DustinMoriarty, @kallangerard, @fh-dustin-winslow, @jcourteau, @thomas-tomlinson. Could you please verify and confirm that a prerelease version 0.87.3-pre works for you? I want to release this patch as part of the 0.88.0 version officially, but first, I want to confirm that it works for various systems, so please add the OS version used.

Thanks @sfc-gh-asawicki for the update. I've asked one of my former workers (@jamesye9) to give this a test run.

[jamesye9]

Thanks @sfc-gh-asawicki for the update. I've asked one of my former workers (@jamesye9) to give this a test run.

@thomas-tomlinson @sfc-gh-asawicki I can confirm version 0.87.3-pre works! It asked once for approval writing to keychain and logged in Snowflake through browser and after that no new browser table opened!

[DustinMoriarty]

I tested this in 0.88.0. It appears to be resolved. Thank you @sfc-gh-swinkler ! This is fantastic!