SNOW-2264068 auth OIDC updated (#2541) (#2552)

* SNOW-2264068 auth OIDC updated (#2541)

* SNOW-2176180: renamed setup to create-user, dropped list in snow auth oidc

* SNOW-2176180: update integration tests

* SNOW-2176180: support for workload identity provider in snow connection add

* SNOW-2176180: fix typos

* SNOW-2176180: fix typos 2

* SNOW-2176180: renamed federated-user to user-name and RELEASE-NOTES update

* SNOW-2176180: remove redundant check

* SNOW-2176180: pre release connector test

* SNOW-2176180: restore dependencies

* SNOW-2176180: add connection option workload-identity-provider

* SNOW-2176180: do not log to console oidc auto detection

* SNOW-2176180: use oidc for auto detection only if provider is OIDC

* SNOW-2176180: update the value checks

* SNOW-2176180: update test snapshots

* SNOW-2176180: bump connetor python to 3.17

* SNOW-2176180: make workload-identity-provider short verion uppercase W

* SNOW-2176180: cr fixes - p1

* SNOW-2176180: bump connector to 3.17.1

* SNOW-2176180: snaptshot updates

* SNOW-2176180: debug

* SNOW-2176180: debug2

* SNOW-2176180: drop create-user and delete commands from snow auth oidc

* SNOW-2176180: fix connector updated error messages

* SNOW-2176180: CR cleanups

* SNOW-2176180: CR remove comments

* SNOW-2176180: CR fix doc string

* chore: [NO-SNOW] update release notes for 3.10.1 (#2543)

* Bump version to v3.11.0-rc1

---------

Co-authored-by: Jakub Wilkowski <[email protected]>

Author: sfc-gh-mraba

RELEASE-NOTES.md

@@ -30,14 +30,20 @@
 ## New additions
 * Add `snow connection remove` command
 * Added support for `runtime_environment_version` field in notebook entity configuration, allowing specification of runtime environment version for containerized notebooks.
-* Added `snow auth workload-identity` command group for managing workload identity federation authentication:
-  * `snow auth workload-identity setup` - Creates federated users with OIDC authentication configuration
-  * `snow auth workload-identity delete` - Removes existing federated users
-  * `snow auth workload-identity read-token` - Reads and displays OIDC tokens from CI/CD environments
-  * `snow auth workload-identity list` - Lists all users with workload identity federation enabled
+* Added `snow auth oidc` command group for managing workload identity federation authentication:
+  * `snow auth oidc read-token` - Reads and displays OIDC tokens from CI/CD environments
   * Supports GitHub Actions OIDC provider for passwordless authentication in CI/CD pipelines
 
 ## Fixes and improvements
+
+
+# v3.10.1
+
+## Deprecations
+
+## New additions
+
+## Fixes and improvements
 * Fixed DBT deploy command to properly handle fully qualified names
 * Fixed DBT deploy command to properly handle local directories with dots in names
 

pylock.toml

@@ -40,7 +40,7 @@ dependencies = [
   "requirements-parser==0.13.0",
   "rich==14.0.0",
   "setuptools==80.8.0",
-  "snowflake-connector-python[secure-local-storage]==3.16.0",
+  "snowflake-connector-python[secure-local-storage]==3.17.1",
   'snowflake-snowpark-python==1.33.0;python_version < "3.12"',
   "snowflake.core==1.6.0",
   "tomlkit==0.13.3",

pyproject.toml

@@ -54,7 +54,7 @@ setuptools==80.8.0
 shellingham==1.5.4
 six==1.17.0
 smmap==5.0.2
-snowflake-connector-python==3.16.0
+snowflake-connector-python==3.17.1
 snowflake-core==1.6.0
 snowflake-snowpark-python==1.33.0 ; python_full_version < '3.12'
 sortedcontainers==2.4.0

snyk/requirements.txt

@@ -16,7 +16,7 @@
 
 from enum import Enum, unique
 
-VERSION = "3.11.0rc0"
+VERSION = "3.11.0rc1"
 
 
 @unique

src/snowflake/cli/__about__.py

@@ -364,30 +364,28 @@ def auto_detect_oidc_provider() -> OidcTokenProvider:
             return available[0]
         case (0, providers) if providers:
             # No providers available but some are registered
-            logger.warning("No OIDC provider detected in current environment")
             providers_list = ", ".join(providers)
-            error_msg = (
+            msg = (
                 "No OIDC provider detected in current environment. "
                 "Available providers: %s. "
                 "Use --type <provider> to specify a provider explicitly."
             ) % providers_list
-            logger.error(error_msg)
-            raise OidcProviderAutoDetectionError(error_msg)
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
         case (0, _):
             # No providers available and none are registered
-            logger.warning("No OIDC provider detected in current environment")
-            error_msg = "No OIDC providers are registered."
-            logger.error(error_msg)
-            raise OidcProviderAutoDetectionError(error_msg)
+            msg = "No OIDC providers are registered."
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
         case _:
             # Multiple providers available - raise error
             providers_list = ", ".join(available_names)
-            error_msg = (
+            msg = (
                 "Multiple OIDC providers detected: %s. "
                 "Please specify which provider to use with --type <provider>."
             ) % providers_list
-            logger.error(error_msg)
-            raise OidcProviderAutoDetectionError(error_msg)
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
 
     # This line should never be reached, but helps mypy understand all paths are covered
     raise OidcProviderAutoDetectionError(

src/snowflake/cli/_app/auth/oidc_providers.py

@@ -45,6 +45,7 @@
 from snowflake.cli.api.secret import SecretType
 from snowflake.cli.api.secure_path import SecurePath
 from snowflake.connector import SnowflakeConnection
+from snowflake.connector.auth.workload_identity import ApiFederatedAuthenticationType
 from snowflake.connector.errors import DatabaseError, ForbiddenError
 
 log = logging.getLogger(__name__)
@@ -59,6 +60,7 @@
     "user",
     "password",
     "authenticator",
+    "workload_identity_provider",
     "private_key_file",
     "private_key_path",
     "private_key_raw",
@@ -158,8 +160,12 @@ def connect_to_snowflake(
     if connection_parameters.get("authenticator") == "username_password_mfa":
         connection_parameters["client_request_mfa_token"] = True
 
-    # Handle WORKLOAD_IDENTITY authenticator (OIDC federated authentication)
-    if connection_parameters.get("authenticator") == AUTHENTICATOR_WORKLOAD_IDENTITY:
+    # Handle WORKLOAD_IDENTITY authenticator (OIDC authentication)
+    if (
+        connection_parameters.get("authenticator") == AUTHENTICATOR_WORKLOAD_IDENTITY
+        and connection_parameters.get("workload_identity_provider")
+        == ApiFederatedAuthenticationType.OIDC.value
+    ):
         _maybe_update_oidc_token(connection_parameters)
 
     if enable_diag:

src/snowflake/cli/_app/snow_connector.py

@@ -14,57 +14,18 @@
 
 import typer
 from snowflake.cli._app.auth.oidc_providers import (
-    OidcProviderType,
     OidcProviderTypeWithAuto,
 )
 from snowflake.cli._plugins.auth.oidc.manager import OidcManager
 from snowflake.cli.api.commands.snow_typer import SnowTyperFactory
-from snowflake.cli.api.output.types import MessageResult, QueryResult
+from snowflake.cli.api.output.types import MessageResult
 
 app = SnowTyperFactory(
     name="oidc",
-    help="Manages OIDC federated authentication.",
+    help="Manages OIDC authentication.",
 )
 
 
-FederatedUserOption = typer.Option(
-    ...,
-    "--federated-user",
-    show_default=False,
-    help="Name for the federated user to create",
-    prompt="Enter federated user name",
-)
-
-FederatedUserArgument = typer.Argument(
-    ...,
-    help="Name for the federated user to drop",
-    show_default=False,
-)
-
-SubjectOption = typer.Option(
-    ...,
-    "--subject",
-    show_default=False,
-    help="OIDC subject string",
-    prompt="Enter OIDC subject string",
-)
-
-DefaultRoleOption = typer.Option(
-    ...,
-    "--default-role",
-    show_default=False,
-    help="Default role to assign to the federated user",
-    prompt="Enter default role",
-)
-
-ProviderTypeOption = typer.Option(
-    ...,
-    "--type",
-    help=f"Type of OIDC provider to use",
-    prompt="Enter OIDC provider type",
-    show_default=False,
-)
-
 AutoProviderTypeOption = typer.Option(
     OidcProviderTypeWithAuto.AUTO.value,
     "--type",
@@ -73,39 +34,6 @@
 )
 
 
-@app.command("setup", requires_connection=True)
-def setup(
-    _type: OidcProviderType = ProviderTypeOption,
-    federated_user: str = FederatedUserOption,
-    subject: str = SubjectOption,
-    default_role: str = DefaultRoleOption,
-    **options,
-):
-    """
-    Sets up OIDC federated authentication.
-    Creates a federated user with the specified configuration.
-    """
-    result = OidcManager().setup(
-        user=federated_user,
-        subject=subject,
-        default_role=default_role,
-        provider_type=_type,
-    )
-    return MessageResult(result)
-
-
-@app.command("delete", requires_connection=True)
-def delete(
-    federated_user=FederatedUserArgument,
-    **options,
-):
-    """
-    Deletes a federated user.
-    """
-    result = OidcManager().delete(user=federated_user)
-    return MessageResult(result)
-
-
 @app.command("read-token", requires_connection=False)
 def read_token(
     _type: OidcProviderTypeWithAuto = AutoProviderTypeOption,
@@ -117,14 +45,3 @@ def read_token(
     """
     result = OidcManager().read_token(provider_type=_type)
     return MessageResult(result)
-
-
-@app.command("list", requires_connection=True)
-def list_users(
-    **options,
-):
-    """
-    Lists users with OIDC federated authentication enabled.
-    """
-    result = OidcManager().get_users_list()
-    return QueryResult(result)