terraform cannot provision snowflake secret engine role with credential_type="rsa_public_key"

[breathe]

Apologies if I misuse some terraform nomenclature as I consume terraform-provider-vault via pulumi. But from what I can tell its not possible to provision a snowflake secret engine role with credential_type="rsa_public_key" from terraform.

The snowflake secrets engine supports configuration options for creating rsa based authentication which, from what I can tell, cannot be specified when provisioning a vault_database_secret_backend_role using the snowflake secrets engine

In particular, in order to provision users with rsa_private_key auth rather than password auth, the role needs to be created with credential_type="rsa_private_key" -- without specifying that parameter the vault secrets engine doesn't pass an appropriate value for the {{public_key}} template parameter when rendering the creation statements and an error like this is produced when attempting to read the secret ...

ncohen@m1-max-toast ~/f/o/i/a/secrets (main)> vault read dev_us_snowflake/creds/SOME_SERVICE
Error reading dev_us_snowflake/creds/SOME_SERVICE: Error making API request.

URL: GET https://vault.somewhere.net/v1/dev_us_snowflake/creds/SOME_SERVICE
Code: 500. Errors:

* 1 error occurred:
	* 003065 (42601): SQL execution error:
New public key rejected by current policy. Reason: 'Invalid public key'

I'm able to make the above command succeed if I manually provision the role with a command like this:

vault write dev_us_snowflake/roles/SOME_SERVICE \
    db_name=snowflake-connection \
    creation_statements="CREATE USER \"{{name}}\" RSA_PUBLIC_KEY='{{public_key}}'
    DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE= SOME_SERVICE_ROLE_DEV;
    GRANT ROLE SOME_SERVICE_ROLE_DEV TO USER \"{{name}}\";" \
    credential_type="rsa_private_key" \
    credential_config=key_bits=2048 \
    default_ttl="1h" \
    max_ttl="1h" \
    credential_config=format="pkcs8"

But the equivalent terraform version of the above will fail because there is no way to specify credential_type. (nor I believe is there a way to specify any other credential_config's -- but that is less important)

Affected Resource(s)

• vault_database_secret_backend_role (when backend=snowflake, this ought to accept credential_type somehow ...)
• snowflake secret engine configuration options

References

• GH-1234

[jhfeng]

I'm getting same error today. Does anyone know this issue has solution or not ?

[fairclothjm]

@jhfeng @breathe Hello, sorry you are having trouble.

Have you tried setting the credential_type field on the database_secret_backend_role?

If this isn't working, can you please provide the terraform config to reproduce the issue and any relevant logs or errors? Thanks!

[jhfeng]

@fairclothjm i tested database_secret_backend_role, that seems works. problem is only with static role.
here's code and error:

1 terraform {
2 required_providers {
3 vault = {
4 source = "hashicorp/vault"
5 }
6 }
7 }
8
9 resource "vault_database_secret_backend_connection" "snowflake" {
10 backend = var.sfdb_backend_path
11 name = var.dbname
12 allowed_roles = ["*"]
13
14 snowflake {
15 connection_url = "${var.vaultuser}:${var.vaultuser_password}@${var.sfaccountname}/${var.dbname}"
16 }
17 }
18
19
20 resource "vault_database_secret_backend_role" "role" {
21
22 backend = var.sfdb_backend_path
23 name = "myrole"
24 db_name = vault_database_secret_backend_connection.snowflake.name
25 creation_statements = ["CREATE USER {{name}} RSA_PUBLIC_KEY='{{public_key}}' DAYS_TO_EXPIRY = {{expiration}} DEFAULT_ROLE=myrole; GRANT ROLE myrole TO USER {{name}};"]
26 credential_type = "rsa_private_key"
27 credential_config = {
28 key_type = "rsa"
29 key_bits = "2048"
30 }
31 }
32
33 # configure a static role with period-based rotations
34 resource "vault_database_secret_backend_static_role" "period_role" {
35
36 backend = var.sfdb_backend_path
37 name = "my-static-role"
38 db_name = vault_database_secret_backend_connection.snowflake.name
39 username = "myaccount"
40 rotation_period = var.ttl
41 rotation_statements = ["ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}';"]
42 credential_type = "rsa_private_key"
43 credential_config = {
44 key_type = "rsa"
45 key_bits = "2048"
46 }
47 }

Error: Unsupported argument
│
│ on modules/snowflake/main.tf line 42, in resource "vault_database_secret_backend_static_role" "period_role":
│ 42: credential_type = "rsa_private_key"
│
│ An argument named "credential_type" is not expected here.
╵
╷
│ Error: Unsupported argument
│
│ on modules/snowflake/main.tf line 43, in resource "vault_database_secret_backend_static_role" "period_role":
│ 43: credential_config = {
│
│ An argument named "credential_config" is not expected here.
╵

[fairclothjm]

@jhfeng Thanks for the information! Yes, it looks like vault_database_secret_backend_static_role does not currently support credential_type. We don't have anything on the roadmap for adding that at the moment but it shouldn't be too much of a lift if anyone is interested in contributing a PR.