Snowflake Behaviour Change - MFA

AlbertFabritius · March 4, 2025, 2:20pm

Hi EasyMorph Team,

Snowflake announced a mandatory behaviour change starting in April. Users will have to use MFA, unless labled "Service Accounts". These service accounts won´t have a password. We are just trying to figure out how to manage this change with our EasyMorph connectors.

Do you by any chance have a take on how we should proceed?

Best,
Albert

andrew.rybka · March 4, 2025, 3:34pm

Hi Albert,

Looks like service accounts support key pair authentication. Also, it's possible to create an account with TYPE set to LEGACY_SERVICE which will support password authorization. I will try both account types out with EasyMorph and get back to you.

AlbertFabritius · March 4, 2025, 3:51pm

We tried with LEGACY_SERVICE and it worked. It didn't work with SERVICE. I am not sure how long the first one will be kept around, though.

andrew.rybka · March 5, 2025, 9:18pm

Hi Albert,

I was able to connect to Snowflake using a SERVICE account and a key-pair authentication with the following steps:

Create a key pair as described here
Create a new service account with the generated public keys as follows:

CREATE USER
    <name>
    TYPE = SERVICE
    RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...'
    [ other account properties ]

Grant permissions to the create account
Make the following changes to the native Snowfake connector in EasyMorph:
- Set the name of the created account to the "User" option
- Leave the "Password" option empty
- Add the following custom properties:
  - AUTHENTICATOR = snowflake_jwt
  - PRIVATE_KEY_FILE = <path_to_generated_private_key>

Looks like it's not possible to use the PRIVATE_KEY connection property in EasyMorph, but we will discuss internally if we should add support for this authorization method directly to the connector settings.