Snow 2176180 workload identity authentication support (#2490)

* SNOW-2176180: POC of snow auth workflow-identity

* SNOW-2176180: auth workflow-identity read command

* SNOW-2176180: rename to workload-identity from workflow-identity

* SNOW-2176180: add logging

* SNOW-2176180: add 'id' as project dependency

* SNOW-2176180: refactor read command to allow usage in automation

* SNOW-2176180: code cleanup

* SNOW-2176180: pre-commit mess cleanup

* SNOW-2176180: code cleanup

* SNOW-2176180: code cleanup

* SNOW-2176180: snapshot updates

* SNOW-2176180: deps cleanup

* SNOW-2176180: deps cleanup

* SNOW-2176180: reset pyproject

* SNOW-2176180: restore pyproject

* SNOW-2176180: pyproject issues

* SNOW-2176180: deps cleanup

* SNOW-2176180: code refactor 1

* SNOW-2176180: code refactor 2

* SNOW-2176180: auto discovery when proper authenticator

* empty commit

* SNOW-2176180: fix tests for running outside github CI

* SNOW-2176180: auth workload-idenity commands refactor 1

* SNOW-2176180: auth workload-idenity commands for managing integrations

* SNOW-2176180: update snapshots for e2e tests

* SNOW-2176180: update snapshots for e2e tests 2

* SNOW-2176180: restore read-token auto discovery

* SNOW-2176180: update snapshots for e2e tests 3

* SNOW-2176180: release notes update for wif

* SNOW-2176180: after rebase fixes

* SNOW-2176180: after rebase fixes

* SNOW-2176180: rename snow auth workload-idenitity to snow auth oidc

* SNOW-2176180: rebase fixes

* SNOW-2176180: refactor fixes

* SNOW-2176180: refactor fixes - p1

* SNOW-2176180: refactor fixes - p2

* SNOW-2176180: after rebase fixes

* SNOW-2176180: after rebase fixes

* SNOW-2176180: after rebase fixes 2

* SNOW-2176180: after cr fixes 2

* SNOW-2176180: after cr fixes missing show_default=False

* SNOW-2176180: after cr fixes missing show_default=False

* SNOW-2176180: passthrough to driver wif for cloud providers

* SNOW-2176180: refactor method names and enum creations

* SNOW-2176180: tests for snow_connector.py

* SNOW-2176180: snapshots update

* SNOW-2176180: separate oidc erros from cli error

* SNOW-2176180: use match instad of nested ifs

* SNOW-2176180: remove old todo

* SNOW-2176180: remove comment

* SNOW-2176180: cleanup manager

* SNOW-2176180: cleanup manager

Author: sfc-gh-mraba

RELEASE-NOTES.md

@@ -21,6 +21,12 @@
 ## New additions
 * Add `snow connection remove` command
 * Added support for `runtime_environment_version` field in notebook entity configuration, allowing specification of runtime environment version for containerized notebooks.
+* Added `snow auth workload-identity` command group for managing workload identity federation authentication:
+  * `snow auth workload-identity setup` - Creates federated users with OIDC authentication configuration
+  * `snow auth workload-identity delete` - Removes existing federated users
+  * `snow auth workload-identity read-token` - Reads and displays OIDC tokens from CI/CD environments
+  * `snow auth workload-identity list` - Lists all users with workload identity federation enabled
+  * Supports GitHub Actions OIDC provider for passwordless authentication in CI/CD pipelines
 
 ## Fixes and improvements
 * Fixed DBT deploy command to properly handle fully qualified names

pylock.toml

@@ -293,6 +293,12 @@ version = "3.1.44"
 sdist = { url = "https://files.pythonhosted.org/packages/c0/89/37df0b71473153574a5cdef8f242de422a0f5d26d7a9e231e6f169b4ad14/gitpython-3.1.44.tar.gz", upload-time = 2025-01-02T07:32:43Z, size = 214196, hashes = { sha256 = "c87e30b26253bf5418b01b0660f818967f3c503193838337fe5e573331249269" } }
 wheels = [{ url = "https://files.pythonhosted.org/packages/1d/9a/4114a9057db2f1462d5c8f8390ab7383925fe1ac012eaa42402ad65c2963/GitPython-3.1.44-py3-none-any.whl", upload-time = 2025-01-02T07:32:40Z, size = 207599, hashes = { sha256 = "9e0e10cda9bed1ee64bc9a6de50e7e38a9c9943241cd7f585f6df3ed28011110" } }]
 
+[[packages]]
+name = "id"
+version = "1.5.0"
+sdist = { url = "https://files.pythonhosted.org/packages/22/11/102da08f88412d875fa2f1a9a469ff7ad4c874b0ca6fed0048fe385bdb3d/id-1.5.0.tar.gz", upload-time = 2024-12-04T19:53:05Z, size = 15237, hashes = { sha256 = "292cb8a49eacbbdbce97244f47a97b4c62540169c976552e497fd57df0734c1d" } }
+wheels = [{ url = "https://files.pythonhosted.org/packages/9f/cb/18326d2d89ad3b0dd143da971e77afd1e6ca6674f1b1c3df4b6bec6279fc/id-1.5.0-py3-none-any.whl", upload-time = 2024-12-04T19:53:03Z, size = 13611, hashes = { sha256 = "f1434e1cef91f2cbb8a4ec64663d5a23b9ed43ef44c4c957d02583d61714c658" } }]
+
 [[packages]]
 name = "idna"
 version = "3.10"

pyproject.toml

@@ -29,6 +29,7 @@ dependencies = [
   "click==8.1.8",
   "GitPython==3.1.44",
   "PyYAML==6.0.2",
+  "id==1.5.0",
   "jinja2==3.1.6",
   "packaging",
   "pip",

snyk/requirements.txt

@@ -15,6 +15,7 @@ cryptography==45.0.5
 filelock==3.18.0
 gitdb==4.0.12
 gitpython==3.1.44
+id==1.5.0
 idna==3.10
 importlib-metadata==8.7.0 ; python_full_version < '3.12'
 jaraco-classes==3.4.0

src/snowflake/cli/_app/auth/__init__.py

@@ -0,0 +1,13 @@
+# Copyright (c) 2024 Snowflake Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

src/snowflake/cli/_app/auth/errors.py

@@ -0,0 +1,28 @@
+class OidcProviderError(Exception):
+    """Base exception for OIDC provider related errors."""
+
+    ...
+
+
+class OidcProviderNotFoundError(OidcProviderError):
+    """Exception raised when requested OIDC provider is not found or unknown."""
+
+    ...
+
+
+class OidcProviderUnavailableError(OidcProviderError):
+    """Exception raised when OIDC provider is not available in current environment."""
+
+    ...
+
+
+class OidcProviderAutoDetectionError(OidcProviderError):
+    """Exception raised when auto-detection of OIDC provider fails."""
+
+    ...
+
+
+class OidcTokenRetrievalError(OidcProviderError):
+    """Exception raised when OIDC token cannot be retrieved."""
+
+    ...