Skip to content

Commit 6f9c22c

Browse files
sfc-gh-knozderkosfc-gh-knozderko
authored
SNOW-1902246 Document Workload Identity Federation (#1196)
1 parent 6c72222 commit 6f9c22c

File tree

1 file changed

+45
-3
lines changed

1 file changed

+45
-3
lines changed

doc/Connecting.md

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ please surround the value with double quotation marks (`""`). For example `passw
99
The following table lists all valid connection properties:
1010
<br />
1111

12-
| Connection Property | Required | Comment |
13-
|--------------------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
12+
| Connection Property | Required | Comment |
13+
|-----------------------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
1414
| ACCOUNT | Yes | Your full account name might include additional segments that identify the region and cloud platform where your account is hosted |
1515
| APPLICATION | No | **_Snowflake partner use only_**: Specifies the name of a partner application to connect through .NET. The name must match the following pattern: ^\[A-Za-z](\[A-Za-z0-9.-]){1,50}$ (one letter followed by 1 to 50 letter, digit, .,- or, \_ characters). |
1616
| DB | No | |
@@ -31,7 +31,7 @@ The following table lists all valid connection properties:
3131
| PRIVATE_KEY_FILE | Depends | The path to the private key file to use for key-pair authentication. Must be used in combination with AUTHENTICATOR=snowflake_jwt |
3232
| PRIVATE_KEY_PWD | No | The passphrase to use for decrypting the private key, if the key is encrypted. |
3333
| PRIVATE_KEY | Depends | The private key to use for key-pair authentication. Must be used in combination with AUTHENTICATOR=snowflake_jwt. <br /> If the private key value includes any equal signs (=), make sure to replace each equal sign with two signs (==) to ensure that the connection string is parsed correctly. |
34-
| TOKEN | Depends | The OAuth token to use for OAuth authentication or Programmatic Access Token authentication. Must be used in combination with AUTHENTICATOR=oauth or AUTHENTICATOR=programmatic_access_token. |
34+
| TOKEN | Depends | The OAuth token to use for OAuth authentication or Programmatic Access Token authentication or Workload Identity Federation for `OIDC`. Must be used in combination with `AUTHENTICATOR=oauth` or `AUTHENTICATOR=programmatic_access_token` or `AUTHENTICATOR=workload_identity`. |
3535
| INSECUREMODE | No | Set to true to disable the certificate revocation list check. Default is false. |
3636
| USEPROXY | No | Set to true if you need to use a proxy server. The default value is false. <br/> <br/> This parameter was introduced in v2.0.4. |
3737
| PROXYHOST | Depends | The hostname of the proxy server. <br/> <br/> If USEPROXY is set to `true`, you must set this parameter. <br/> <br/> This parameter was introduced in v2.0.4. |
@@ -59,6 +59,8 @@ The following table lists all valid connection properties:
5959
| OAUTHAUTHORIZATIONURL | Depends | The url of the authorization endpoint (the one to get authorization code) for OAuth Authorization Code Flow. Required for non-Snowflake Identity Providers. Optional for Snowflake-provided OAuth service. See more: [Snowflake OAuth](https://docs.snowflake.com/en/user-guide/oauth-snowflake-overview) |
6060
| OAUTHTOKENREQUESTURL | Depends | The url of the token endpoint (the one to get access token/refresh token) for OAuth Authorization Code Flow or OAuth Client Credential Flow. Required for OAuth Client Credentials Flow. For OAuth Authorization Code Flow, required in case of non-Snowflake Identity Providers, but optional for Snowflake-provided OAuth service. See more: [Snowflake OAuth](https://docs.snowflake.com/en/user-guide/oauth-snowflake-overview) |
6161
| OAUTHREDIRECTURI | Depends | The url of the local endpoint the driver will listen to in OAuth Authorization Code Flow to get an authorization code from the Identity Provider. Required for non-Snowflake Identity providers. Optional for Snowflake-provided OAuth service. See more: [Snowflake OAuth](https://docs.snowflake.com/en/user-guide/oauth-snowflake-overview) |
62+
| WIFPROVIDER | No | The type of attestation provider for Workload Identity Federation authentication. You can specify one of following values: `OIDC`, `AZURE`, `AWS`, `GCP`. If you don't provide it the provider is going to be auto-detected. It is recommended to specify the value because auto-detection increases latency. |
63+
| WIFENTRARESOURCE | No | The entra resource used for Azure provider in Workload Identity Federation authentication. The default value for it is `api://fd3f753b-eed3-462c-b6a7-a4b5bb650aad`. |
6264
<br />
6365

6466
**Note**: Connections should not be shared across multiple threads.
@@ -316,6 +318,46 @@ Alternatively you can provide `token` property as a secure string of the connect
316318
}
317319
```
318320

321+
- **Workload Identity Federation**
322+
323+
In this type of authentication credentials can be retrieved from a cloud on which your application is running (AWS, Azure, GCP) and then a token generated based on that is used to authenticate in Snowflake.
324+
OIDC provider allows you to provide your own token which will be used to authenticate in Snowflake.
325+
326+
If you don't provide `WIFPROVIDER` property it will be auto-detected. The order in which the driver tries to produce attestation is: OIDC, Azure, AWS, GCP.
327+
If you know on which cloud your application is running it is recommended to provide `WIFPROVIDER` parameter because auto-detection increases latency.
328+
329+
**Note**: Workload Identity Federation authentication currently is an experimental feature.
330+
You need to set environmental variable `SF_ENABLE_EXPERIMENTAL_AUTHENTICATION` to `true` if you want to use this authentication.
331+
332+
Using Workload Identity Federation for AWS cloud:
333+
```csharp
334+
var conn = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=aws;account=test;");
335+
```
336+
337+
Using Workload Identity Federation for Azure cloud:
338+
```csharp
339+
var conn1 = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=azure;account=test;"); // with default entra resource
340+
var conn2 = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=azure;wifEntraResource=api://fd3f753b-eed3-462c-b6a7-a4b5bb650aad;account=test;"); // with provided entra resource
341+
```
342+
343+
Using Workload Identity Federation for GCP cloud:
344+
```csharp
345+
var conn = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=gcp;account=test;");
346+
```
347+
348+
Using your own token (OIDC) for Workload Identity Federation:
349+
```csharp
350+
var conn1 = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=oidc;token=yourtoken;account=test;"); // provide token in connection string
351+
352+
var conn2 = new SnowflakeDbConnection("authenticator=workload_identity;wifProvider=oidc;account=test;");
353+
var conn2.Token = ...; // provide token by connection property
354+
```
355+
356+
Using auto-detection:
357+
```csharp
358+
var conn = new SnowflakeDbConnection("authenticator=workload_identity;account=test;");
359+
```
360+
319361
- **Browser-based SSO**
320362

321363
In the connection string, set `AUTHENTICATOR=externalbrowser`.

0 commit comments

Comments
 (0)