Add client credential caching option

[jcourteau]

• Add new provider configuration option - cache_temporary_credential, default false

This is normally automatically enabled or disabled based on the platform on the upstream gosnowflake SDK. However, even on mac, with the option enabled on the Snowflake account, the provider wasn't using caching.

This PR adds an explicit flag to enable / disable credential caching so that the exact behaviour can be set. Since Linux doesn't offer a password store like Windows and Mac do, this feature is a bit of a security risk there.

This must be enabled on the snowflake account

Specifically, as ACCOUNTADMIN:

alter account set allow_id_token = true;

Test Plan

• acceptance tests

• added unit tests for the generated DSN, following existing examples
• updated existing unit tests to reflect new config option

I also verified that caching worked with a provider config like this:

provider "snowflake" {
  account  = "<my SF account>"
  username = "<me>"
  region   = "us-west-2"

  cache_temporary_credential = true
  browser_auth               = true

  role = "SECURITYADMIN"
}

With cache_temporary_credential=true I was prompted to save the password in the OSX keychain; and subsequent runs didn't prompt for credentials.

With it set to false, I went through the normal browser auth cycle, with no caching; the same as the pre-patch behaviour.

(I would appreciate if someone could test this on Windows, as I don't have that readily available.)

References

• Connection Caching For External Browser Auth #1700 issue requesting this feature
• Snowflake SSO connection caching
• gosnowflake caching becomes configurable, optional
• gosnowflake original implementation

[cablespaghetti]

@sfc-gh-jcieslak @sfc-gh-asawicki @sfc-gh-swinkler sorry for the mention but is there any possibility of this getting merged soon? Without it the terraform provider unusable with SSO/Browser auth.

[mlavaert]

I hoped that this was going to be included in PR #2109 to use the authenticator. Sadly browser authentication is still impossible to use as it opens 100s of browser tabs right now.

[sfc-gh-swinkler]

This has already been added: https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs#client_store_temporary_credential

Closing as completed

Note that we are still having issues with the token for Windows / Darwin not caching token despite adding this. We need to build these two binaries with CGO enabled, and this is proving to be somewhat challenging to do in github-actions. We hope to get a solution out soon

[cablespaghetti]

This has already been added: https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs#client_store_temporary_credential

Closing as completed

Note that we are still having issues with the token for Windows / Darwin not caching token despite adding this. We need to build these two binaries with CGO enabled, and this is proving to be somewhat challenging to do in github-actions. We hope to get a solution out soon

As this feature is not working correctly, is this being tracked in an issue I can watch?

Thanks

[sfc-gh-swinkler]

@cablespaghetti you can check the related issue #2047. We will close this issue only once the feature is working correctly.