Allow for connecting to Snowflake with a private key

[jkruzek]

When connecting to Snowflake with an account that requires MFA its does not work (or at least requires extra work to use MFA devices) to connect with just the username and password credentials.

Instead of using username and password we should be able to use a private key and a private key passphrase to connect to Snowflake. Snowflake already supports this method of authentication. See here. Feast should add this as an option to the feature_store.yaml as part of the Snowflake connection config.

When trying to use a private_key_path and passphrase this error was raised:

raise FeastConfigError(e, config_path)
feast.repo_config.FeastConfigError: 2 validation errors for RepoConfig
__root__ -> offline_store -> private_key_passphrase
  extra fields not permitted (type=value_error.extra)
__root__ -> offline_store -> private_key_path
  extra fields not permitted (type=value_error.extra)

It seems like fields related to a passphrase are not permitted here

cc @sfc-gh-madkins

[jkruzek]

After a Slack discussion it was concluded this could be done using the ~/.snowsql/config file and passing in the private key there. Unfortunately, the python connector doesn’t take the private key path instead it takes a byte object of an unecrypted rsa private key. To create this private key we should allow a user to set the private key path and private key passcode in the config file and then convert that to the private key in code using the method detailed [here]( python connector doesn’t take the private key path instead it takes a byte object of an unecrypted rsa private key).

[sfc-gh-madkins]

#2508

[amithadiraju1694]

@sfc-gh-madkins Sorry for dumb question, I'm facing this issue now ( I'm on feast 0.26.0. Want to use this fix , but as a user, not sure what changes I need to make and where. I've tried passing both "password" and "private_key" in place of "password" field in feature_store.yaml but both options aren't working.

Any pointers to documentation helps. Thanks !

[sfc-gh-madkins]

These parameters have to be defined in a config file. You then just set the param config_path={file_path} in the .yaml file

…

On Thu, Nov 3, 2022 at 6:15 PM Amith Adiraju ***@***.***> wrote: @sfc-gh-madkins <https://github.com/sfc-gh-madkins> Sorry for dumb question, I'm facing this issue now ( I'm on feast 0.26.0. Want to use this fix , but as a user, not sure what changes I need to make and where. I've tried passing both "password" and "private_key" in place of "password" field in feature_store.yaml but both options aren't working. Any pointers to documentation helps. Thanks ! — Reply to this email directly, view it on GitHub <#2482 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATSRCU5LX6OLWUFVQVVTV73WGRBSPANCNFSM5SPXMWEQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[amithadiraju1694]

For anyone who needs a step-by-step changes:

1. Create a .ini file with following contents

[connections.feast_offline_store] # Change this to connections.feast_batch_engine for batch and connections.feast_online_store for online engines

private_key = snow_priv_key.pem # Create a separate .pem/.pub file to hold your private key
private_key_passphrase = <passphrase for key>

2. Change your feature_store.yaml to following:

offline_store:
    type: snowflake.offline
    account: ${SNOW_DEV_ACCURL}
    user: ${SNOW_DEV_USER} 
    role: <Your_Role>
    warehouse: <Your_Warehouse>
    database: <Your_Database>
    config_path: <path to config ini file>

3. Your .pem or .pub file should be in this format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
<Your Private Key>
-----END ENCRYPTED PRIVATE KEY-----

Reference for config parser: https://docs.python.org/3/library/configparser.html#module-configparser

Thanks @sfc-gh-madkins