Announcing the Snowflake Secrets Engine
The new Snowflake database secrets engine for Vault supports static and dynamic roles as well as root credential rotation.
As part of our recent release of Vault 1.7 and general availability launch of HCP Vault, we are excited to announce the Snowflake Secrets Engine for self-managed HashiCorp Vault and HCP Vault. The secrets engine is packaged as part of the general database secrets engine and supports root credential rotation as well as dynamic and static roles (these are not to be confused with roles in Snowflake such as accountadmin
).
» What is Vault?
HashiCorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
With the HashiCorp Cloud Platform (HCP) Vault managed service, organizations can get up and running quickly, providing immediate access to Vault’s best-in-class secrets management and encryption capabilities while also offloading resilience and operational management concerns to HashiCorp.
» What Are Dynamic Secrets? Why Use Them?
Today most organizations utilize static secrets. These are defined ahead of time and shared between many clients and can be long-lived. A dynamic secret is generated on demand and is unique to a client. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. By leveraging just-in-time ephemeral credentials, organizations are able to dramatically reduce the blast radius in case of credential leakage. Vault takes over the operational burden of managing credential lifecycle by renewing or revoking credentials as needed.
» What is Snowflake?
Snowflake delivers the Data Cloud, a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the Data Cloud.
With HCP Vault being generally available, Snowflake customers can take advantage of a managed service offering that aligns with the deployment model they are used to.
» The Snowflake Database Secrets Engine
As mentioned, the database secrets engine supports static and dynamic roles as well as root credential rotation. For both static and dynamic roles, the Snowflake secrets engine supports the setting of default password policies so the generated passwords will meet an organization's password requirements.
» Example Snowflake Use Cases
While many Snowflake customers may have single sign-on (SSO) set up for end users, they may still have some passwords to manage in Snowflake. This plugin can manage the lifecycle and access to those passwords with HashiCorp Vault.
Root accountadmin user: Customers will want at least one user with an accountadmin
role in Snowflake that can authenticate using a username and password in Snowflake. This user is required to fix SSO issues. Since this is a privileged user with the highest level of access, the password of this user needs to be protected. Vault can be used to manage this password and rotate it on demand in regular intervals.
Service user accounts: Snowflake users may have ETL and other automation tools that connect to Snowflake using a service account user. If these tools support username and password authentication only, then Vault can be used to generate dynamic, short-lived credentials for these service user accounts.
» Setup
Configure Vault with the proper plugin and connection information. Note: A properly formatted data source name (DSN) must be provided during configuration of the database (e.g. {{username}}:{{password}}@account/db_name
).
$ vault write database/static-roles/my-static-role \
plugin_name=snowflake-database-plugin \
allowed_roles="my-role" \
connection_url="{{username}}:{{password}}@ecxxxx.west-us-1.azure/db_name" \
username="vaultuser" \
password="vaultpass"
» Static Roles
Static roles are a 1-to-1 mapping of Vault Roles to usernames in Snowflake. The current password for the database user is stored and automatically rotated by Vault on a configurable period of time.
$vault write database/static-roles/my-static-role \
db_name="my-snowflake-database" \
username="my-existing-snowflake-user" \
rotation_period=5m
$ vault read database/static-creds/my-static-role
Key Value
--- -----
last_vault_rotation 2020-08-07T16:50:48.393354+01:00
password Z4-KH8F-VK5VJc0hSkXQ
rotation_period 5m
ttl 4m39s
username my-existing-snowflake-user
» Dynamic Roles
For dynamic roles, operators create a role in Vault that is mapped to a Snowflake role. When a credential request comes in from a client, Vault dynamically generates a unique username and password pair in Snowflake and automatically associates it with the corresponding role. Vault returns the credentials to the client. Once the lease expires, Vault automatically drops the user from Snowflake.
$vault write database/roles/my-dynamic-role \
db_name=my-snowflake-database \
creation_statements="CREATE USER {{name}}
PASSWORD = '{{password}}'
DEFAULT_ROLE=myrole;
GRANT ROLE myrole TO USER {{name}};" \
default_ttl=1m max_ttl=24h
$ vault read database/creds/my-dynamic-role
Key Value
--- -----
lease_id database/creds/my-dynamic-role/wiLNQjtcvCOT1VnN3qnUJnBz
lease_duration 24h
lease_renewable true
password mhyM-Gs7IpmOPnSqXEDe
username v-root-my-dynamic-role-eXnVr4gm55dpM1EVgTYz-1596815027
» Root Credential Rotation
Since Vault is managing the database credentials on behalf of the database administrator, it needs a set of highly privileged credentials that can create and delete users in the database system. Therefore, it is very common to give Vault a set of root credentials. However, these credentials are often long-lived and never change once configured on Vault. This may violate the governance, risk, and compliance (GRC) policies surrounding that data stored in the database. Vault is able to rotate the root credentials stored for the Snowflake database connection. Once the root credential has been rotated, only Vault knows the new password.
» Next Steps
The Snowflake Secrets Engine is packaged as part of the Database Secrets Engine plugin. This plugin is available with all versions of Vault. Step-by-step instructions on how to use the secrets engine are available in the Vault documentation, and you can try it out right now with HCP Vault.
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more
The newest HCP Vault Dedicated 1.18 upgrade includes a range of new features that include expanding DR region coverage, syncing secrets across providers, and adding PKI EST among other key features.
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.