diff --git a/content/vault/v1.16.x/content/api-docs/secret/databases/snowflake.mdx b/content/vault/v1.16.x/content/api-docs/secret/databases/snowflake.mdx index 9421dd6c03..0783672d4f 100644 --- a/content/vault/v1.16.x/content/api-docs/secret/databases/snowflake.mdx +++ b/content/vault/v1.16.x/content/api-docs/secret/databases/snowflake.mdx @@ -43,8 +43,12 @@ has a number of parameters to further configure a connection. - `connection_url` `(string: )` - Specifies the Snowflake DSN. This field can be templated and supports passing the username and password - parameters in the following format `{{field_name}}`. A templated connection URL is - required when using root credential rotation. + parameters in the format `{{field_name}}` when you use password authentication. + If you use root credential rotation for passwords, you must provide a templated + connection URL. Refer to the + [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup) + for more information on the connection URL format requirements for different + authentication methods. - `max_open_connections` `(int: 4)` - Specifies the maximum number of open connections to the database. diff --git a/content/vault/v1.16.x/content/docs/secrets/databases/snowflake.mdx b/content/vault/v1.16.x/content/docs/secrets/databases/snowflake.mdx index 7922307a82..d086de6a3e 100644 --- a/content/vault/v1.16.x/content/docs/secrets/databases/snowflake.mdx +++ b/content/vault/v1.16.x/content/docs/secrets/databases/snowflake.mdx @@ -11,8 +11,8 @@ description: |- Snowflake is disabling password authentication for all users in  - November of 2025. -  HashiCorp is working to support key pair authentication in place of passwords. + November of 2025. +  HashiCorp has added support for key pair authentication in place of passwords. Snowflake is one of the supported plugins for the database secrets engine. This plugin @@ -29,7 +29,7 @@ The Snowflake database secrets engine uses | Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------| -| `snowflake-database-plugin` | Yes | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | +| `snowflake-database-plugin` | Password-only | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | ## Setup @@ -43,7 +43,7 @@ The Snowflake database secrets engine uses By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the `-path` argument. -1. Configure Vault with the proper plugin and connection information: +1. Configure Vault with userpass authentication: ```shell-session $ vault write database/config/my-snowflake-database \ @@ -71,9 +71,41 @@ The Snowflake database secrets engine uses `db_name` is the name of a database in your Snowflake instance. - ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different - from the root user you were provided when making your Snowflake account. This allows you to rotate - the root credentials and still be able to access your account. +1. Configure Vault with keypair authentication. Do not provide templated or + hard-coded username or password information in the connection URL if you use + key-pair authentication. The Snowflake plugin appropriately constructs the + full DSN using the provided `username` and `private_key` to authenticate to + Snowflake: + + ```shell-session + $ vault write database/config/my-snowflake-database \ + plugin_name=snowflake-database-plugin \ + allowed_roles="my-role" \ + connection_url=".snowflakecomputing.com/" \ + username="vaultuser" \ + private_key=@key.pem + ``` + + The connection URL must include the following parameters in addition to any + optional query parameters: + + - `account` - your Snowflake account identifier. Refer to the + [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) + of the connection parameters for Snowflake ODBC configuration details. + + - `db_name` the name of a database in your Snowflake instance. + + For example: + + ```text + ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data + ``` + + +You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We +strongly recommend using a unique user account for Vault access so Vault can +rotate the associated root credentials without disrupting the account associated +with your Snowflake account or other Snowflake users on the account. ## Usage diff --git a/content/vault/v1.17.x/content/api-docs/secret/databases/snowflake.mdx b/content/vault/v1.17.x/content/api-docs/secret/databases/snowflake.mdx index 9421dd6c03..0783672d4f 100644 --- a/content/vault/v1.17.x/content/api-docs/secret/databases/snowflake.mdx +++ b/content/vault/v1.17.x/content/api-docs/secret/databases/snowflake.mdx @@ -43,8 +43,12 @@ has a number of parameters to further configure a connection. - `connection_url` `(string: )` - Specifies the Snowflake DSN. This field can be templated and supports passing the username and password - parameters in the following format `{{field_name}}`. A templated connection URL is - required when using root credential rotation. + parameters in the format `{{field_name}}` when you use password authentication. + If you use root credential rotation for passwords, you must provide a templated + connection URL. Refer to the + [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup) + for more information on the connection URL format requirements for different + authentication methods. - `max_open_connections` `(int: 4)` - Specifies the maximum number of open connections to the database. diff --git a/content/vault/v1.17.x/content/docs/secrets/databases/snowflake.mdx b/content/vault/v1.17.x/content/docs/secrets/databases/snowflake.mdx index 7922307a82..01e0b7bedd 100644 --- a/content/vault/v1.17.x/content/docs/secrets/databases/snowflake.mdx +++ b/content/vault/v1.17.x/content/docs/secrets/databases/snowflake.mdx @@ -11,8 +11,8 @@ description: |- Snowflake is disabling password authentication for all users in  - November of 2025. -  HashiCorp is working to support key pair authentication in place of passwords. + November of 2025. +  HashiCorp has added support for key pair authentication in place of passwords. Snowflake is one of the supported plugins for the database secrets engine. This plugin @@ -29,7 +29,7 @@ The Snowflake database secrets engine uses | Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------| -| `snowflake-database-plugin` | Yes | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | +| `snowflake-database-plugin` | Password-only | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | ## Setup @@ -43,7 +43,7 @@ The Snowflake database secrets engine uses By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the `-path` argument. -1. Configure Vault with the proper plugin and connection information: +1. Configure Vault with userpass authentication: ```shell-session $ vault write database/config/my-snowflake-database \ @@ -71,9 +71,40 @@ The Snowflake database secrets engine uses `db_name` is the name of a database in your Snowflake instance. - ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different - from the root user you were provided when making your Snowflake account. This allows you to rotate - the root credentials and still be able to access your account. +1. Configure Vault with keypair authentication. Do not provide templated or + hard-coded username or password information in the connection URL if you use + key-pair authentication. The Snowflake plugin appropriately constructs the + full DSN using the provided `username` and `private_key` to authenticate to + Snowflake: + + ```shell-session + $ vault write database/config/my-snowflake-database \ + plugin_name=snowflake-database-plugin \ + allowed_roles="my-role" \ + connection_url=".snowflakecomputing.com/" \ + username="vaultuser" \ + private_key=@key.pem + ``` + + The connection URL must include the following parameters (additional query parameters are not supported in Vault 1.17): + + - `account` - your Snowflake account identifier. Refer to the + [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) + of the connection parameters for Snowflake ODBC configuration details. + + - `db_name` the name of a database in your Snowflake instance. + + For example: + + ```text + ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data + ``` + + +You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We +strongly recommend using a unique user account for Vault access so Vault can +rotate the associated root credentials without disrupting the account associated +with your Snowflake account or other Snowflake users on the account. ## Usage diff --git a/content/vault/v1.18.x/content/api-docs/secret/databases/snowflake.mdx b/content/vault/v1.18.x/content/api-docs/secret/databases/snowflake.mdx index 9421dd6c03..0783672d4f 100644 --- a/content/vault/v1.18.x/content/api-docs/secret/databases/snowflake.mdx +++ b/content/vault/v1.18.x/content/api-docs/secret/databases/snowflake.mdx @@ -43,8 +43,12 @@ has a number of parameters to further configure a connection. - `connection_url` `(string: )` - Specifies the Snowflake DSN. This field can be templated and supports passing the username and password - parameters in the following format `{{field_name}}`. A templated connection URL is - required when using root credential rotation. + parameters in the format `{{field_name}}` when you use password authentication. + If you use root credential rotation for passwords, you must provide a templated + connection URL. Refer to the + [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup) + for more information on the connection URL format requirements for different + authentication methods. - `max_open_connections` `(int: 4)` - Specifies the maximum number of open connections to the database. diff --git a/content/vault/v1.18.x/content/docs/secrets/databases/snowflake.mdx b/content/vault/v1.18.x/content/docs/secrets/databases/snowflake.mdx index 427f952762..757f3f66ba 100644 --- a/content/vault/v1.18.x/content/docs/secrets/databases/snowflake.mdx +++ b/content/vault/v1.18.x/content/docs/secrets/databases/snowflake.mdx @@ -11,8 +11,8 @@ description: >- Snowflake is disabling password authentication for all users in  - November of 2025. -  HashiCorp is working to support key pair authentication in place of passwords. + November of 2025. +  HashiCorp has added support for key pair authentication in place of passwords. Snowflake is one of the supported plugins for the database secrets engine. This plugin @@ -29,7 +29,7 @@ The Snowflake database secrets engine uses | Plugin Name | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types | | --------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |---------------------------| -| `snowflake-database-plugin` | Yes | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | +| `snowflake-database-plugin` | Password-only | Yes | Yes | Yes (1.8+) | password(deprecated), rsa_private_key | ## Setup @@ -43,7 +43,7 @@ The Snowflake database secrets engine uses By default, the secrets engine will enable at the name of the engine. To enable the secrets engine at a different path, use the `-path` argument. -1. Configure Vault with the proper plugin and connection information: +1. Configure Vault with userpass authentication: ```shell-session $ vault write database/config/my-snowflake-database \ @@ -71,9 +71,41 @@ The Snowflake database secrets engine uses `db_name` is the name of a database in your Snowflake instance. - ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different - from the root user you were provided when making your Snowflake account. This allows you to rotate - the root credentials and still be able to access your account. +1. Configure Vault with keypair authentication. Do not provide templated or + hard-coded username or password information in the connection URL if you use + key-pair authentication. The Snowflake plugin appropriately constructs the + full DSN using the provided `username` and `private_key` to authenticate to + Snowflake: + + ```shell-session + $ vault write database/config/my-snowflake-database \ + plugin_name=snowflake-database-plugin \ + allowed_roles="my-role" \ + connection_url=".snowflakecomputing.com/" \ + username="vaultuser" \ + private_key=@key.pem + ``` + + The connection URL must include the following parameters in addition to any + optional query parameters: + + - `account` - your Snowflake account identifier. Refer to the + [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) + of the connection parameters for Snowflake ODBC configuration details. + + - `db_name` the name of a database in your Snowflake instance. + + For example: + + ```text + ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data + ``` + + +You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We +strongly recommend using a unique user account for Vault access so Vault can +rotate the associated root credentials without disrupting the account associated +with your Snowflake account or other Snowflake users on the account. ## Usage diff --git a/content/vault/v1.19.x/content/api-docs/secret/databases/snowflake.mdx b/content/vault/v1.19.x/content/api-docs/secret/databases/snowflake.mdx index dfb40b20fe..568e344885 100644 --- a/content/vault/v1.19.x/content/api-docs/secret/databases/snowflake.mdx +++ b/content/vault/v1.19.x/content/api-docs/secret/databases/snowflake.mdx @@ -43,8 +43,12 @@ has a number of parameters to further configure a connection. - `connection_url` `(string: )` - Specifies the Snowflake DSN. This field can be templated and supports passing the username and password - parameters in the following format `{{field_name}}`. A templated connection URL is - required when using root credential rotation. + parameters in the format `{{field_name}}` when you use password authentication. + If you use root credential rotation for passwords, you must provide a templated + connection URL. Refer to the + [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup) + for more information on the connection URL format requirements for different + authentication methods. - `max_open_connections` `(int: 4)` - Specifies the maximum number of open connections to the database. diff --git a/content/vault/v1.19.x/content/docs/secrets/databases/snowflake.mdx b/content/vault/v1.19.x/content/docs/secrets/databases/snowflake.mdx index a2ed7f5b72..1254c696ae 100644 --- a/content/vault/v1.19.x/content/docs/secrets/databases/snowflake.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/databases/snowflake.mdx @@ -71,34 +71,36 @@ The Snowflake database secrets engine uses `db_name` is the name of a database in your Snowflake instance. - ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different - from the root user you were provided when making your Snowflake account. This allows you to rotate - the root credentials and still be able to access your account. - -1. Configure Vault with keypair authentication: +1. Configure Vault with keypair authentication. Do not provide templated or + hard-coded username or password information in the connection URL if you use + key-pair authentication. The Snowflake plugin appropriately constructs the + full DSN using the provided `username` and `private_key` to authenticate to + Snowflake: ```shell-session $ vault write database/config/my-snowflake-database \ plugin_name=snowflake-database-plugin \ allowed_roles="my-role" \ - connection_url="ecxxxx.west-us-1.azure.snowflakecomputing.com/db_name" \ + connection_url=".snowflakecomputing.com/" \ username="vaultuser" \ private_key=@key.pem ``` -You must provide properly formatted data source names (DSN) when you configure -the database in the following format. When using key-pair authentication, do not -provide any templates in the DSN: + The connection URL must include the following parameters in addition to any + optional query parameters: + + - `account` - your Snowflake account identifier. Refer to the + [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) + of the connection parameters for Snowflake ODBC configuration details. -```shell-session -.snowflakecomputing.com/ -``` + - `db_name` the name of a database in your Snowflake instance. -- `account` - your Snowflake account identifier. Refer to the -[`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) -of the connection parameters for Snowflake ODBC configuration for further details. + For example: + + ```text + ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data + ``` -- `db_name` the name of a database in your Snowflake instance. You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We strongly recommend using a unique user account for Vault access so Vault can diff --git a/content/vault/v1.20.x/content/api-docs/secret/databases/snowflake.mdx b/content/vault/v1.20.x/content/api-docs/secret/databases/snowflake.mdx index dfb40b20fe..568e344885 100644 --- a/content/vault/v1.20.x/content/api-docs/secret/databases/snowflake.mdx +++ b/content/vault/v1.20.x/content/api-docs/secret/databases/snowflake.mdx @@ -43,8 +43,12 @@ has a number of parameters to further configure a connection. - `connection_url` `(string: )` - Specifies the Snowflake DSN. This field can be templated and supports passing the username and password - parameters in the following format `{{field_name}}`. A templated connection URL is - required when using root credential rotation. + parameters in the format `{{field_name}}` when you use password authentication. + If you use root credential rotation for passwords, you must provide a templated + connection URL. Refer to the + [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup) + for more information on the connection URL format requirements for different + authentication methods. - `max_open_connections` `(int: 4)` - Specifies the maximum number of open connections to the database. diff --git a/content/vault/v1.20.x/content/docs/secrets/databases/snowflake.mdx b/content/vault/v1.20.x/content/docs/secrets/databases/snowflake.mdx index a2ed7f5b72..1254c696ae 100644 --- a/content/vault/v1.20.x/content/docs/secrets/databases/snowflake.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/databases/snowflake.mdx @@ -71,34 +71,36 @@ The Snowflake database secrets engine uses `db_name` is the name of a database in your Snowflake instance. - ~> **Note:** The user being utilized should have `ACCOUNT_ADMIN` privileges, and should be different - from the root user you were provided when making your Snowflake account. This allows you to rotate - the root credentials and still be able to access your account. - -1. Configure Vault with keypair authentication: +1. Configure Vault with keypair authentication. Do not provide templated or + hard-coded username or password information in the connection URL if you use + key-pair authentication. The Snowflake plugin appropriately constructs the + full DSN using the provided `username` and `private_key` to authenticate to + Snowflake: ```shell-session $ vault write database/config/my-snowflake-database \ plugin_name=snowflake-database-plugin \ allowed_roles="my-role" \ - connection_url="ecxxxx.west-us-1.azure.snowflakecomputing.com/db_name" \ + connection_url=".snowflakecomputing.com/" \ username="vaultuser" \ private_key=@key.pem ``` -You must provide properly formatted data source names (DSN) when you configure -the database in the following format. When using key-pair authentication, do not -provide any templates in the DSN: + The connection URL must include the following parameters in addition to any + optional query parameters: + + - `account` - your Snowflake account identifier. Refer to the + [`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) + of the connection parameters for Snowflake ODBC configuration details. -```shell-session -.snowflakecomputing.com/ -``` + - `db_name` the name of a database in your Snowflake instance. -- `account` - your Snowflake account identifier. Refer to the -[`server` section](https://docs.snowflake.com/en/user-guide/odbc-parameters.html#connection-parameters) -of the connection parameters for Snowflake ODBC configuration for further details. + For example: + + ```text + ecxxxx.west-us-1.azure.snowflakecomputing.com/my_app_data + ``` -- `db_name` the name of a database in your Snowflake instance. You must provide Vault with a Snowflake user that has `ACCOUNT_ADMIN` privileges. We strongly recommend using a unique user account for Vault access so Vault can