Versions Compared

Old Version 5

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2

Tip
titleExtensible Authentication
This guide was written for all versions of RED below 10.6, while still applicable to RED 10.6+, in RED 10.6 we added Extensible Authentication which enables scriptable authentication workflows which can be configured in RED Connections and triggered at a configurable expiry interval, please review this section for more details. This feature provides complete control over the authentication process, adds secure storage of additional connection string tokens and allows for the creation of authentication workflows which are not otherwise handled by RED and/or vendor ODBC drivers directly.

ODBC Key Pair Authentication

Follow Snowflake setup instructions here: Key-pair authentication and key-pair rotation | Snowflake Documentation

...

RED Connection Setup with Snowflake Key Pair

RED

...

9 and RED

...

10 using Advanced Connect

  • User: your snowflake user

  • Password: your Private Key Password (for encrypted key files)

  • Connection String: dsn=$DSN$;user=$USER$;priv_key_file_pwd=$PASSWORD$;

The connection property ‘PRIV_KEY_FILE’ will be taken from the DSN, this is why it is a good idea to create a ‘USER’ level DSN so that each user on the system can have a different private key file (and pwd).

RED 8 or RED 9 or

...

10 without Advanced Connect

Without the Advanced Connect feature, added in RED 9.0 and RED 10.2, your only option is to enter all the details into your DSN’s, including the user, key file and key file password. Then in RED your Snowflake connections would only populate the User name field as the rest of the connection attributes will be taken from the DSN.

...

Snowflake MFA authentication is designed for browser based applications, but it can be used for other applications such as RED also. This method of authentication can not be used via the scheduler Scheduler as it requires a user interaction.

Authenticating with MFA requires a second ‘factor’ in the authentication process, for RED applications this second factor should be an ‘Authenticator App’ which will either supply a Time-Based One Time Password (TOTP) or require you to accept a push notification on your mobile device.

If using this form of authentication with RED it is recommended that the Snowflake Account Level Parameter to allow caching of the MFA token is enabled, this prevents the user having to keep entering a new TOTP each time a connection is made. Without this feature client MFA caching enabled RED UI connections to Snowflake would be unusable until RED supports oAuth style refresh workflows (planned for RED 10.6)practically unusable due to the frequency of MFA requests.

To allow MFA caching set this account parameter:

...

When connecting to an MFA TOTP enabled Snowflake DSN you would need to supply the TOTP concatenated on to the end of the password, this requires an additional connection attribute 'passcodeInPassword=on' which you can not enter into the DSN dialog, therefore you can not create the initial connection to Snowflake using the built in Snowflake DSN Test function unless you added this parameter to the registry for the DSN. If using DUO Duo push MFA method you do not need this attribute.

...

RED Connection Setup with Snowflake MFA

Tip
titleExtensible Authentication
In RED 10.6 we added Extensible Authentication which provides an example workflow for Snowflake MFA, please review this section for more details.

RED 9 and RED

...

10 using Advanced Connect

  • User: your snowflake user

  • TOTP based MFA:

    • Password: your password + your TOTP (MFA code)

    • Connection String: dsn=$DSN$;user=$USER$;pwd=$PASSWORD$;passcodeInPassword=on;

  • Duo Push Notification

    • Password: your password

    • Connection String: dsn=$DSN$;user=$USER$;pwd=$PASSWORD$;

...

For TOTP the initial authentication process would be, when you are ready to browse a Snowflake connection in RED UI you would enter your password along with the currently active TOTP from your authenticator app appended to your password, once connected if the ALLOW_CLIENT_MFA_CACHING = TRUE on your organization's account you will not need to provide a new TOTP for a few hours on the same device.

RED 8 or RED 9 or

...

10 without Advanced Connect

MFA is not really feasible without the Advanced Connect feature since Legacy Connect requires shared credentials in RED, but if you only have a single user working with RED then you can follow this workaround:

...

RED Connection Setup with Snowflake PAT

RED

...

9 and RED

...

10 using Advanced Connect

  • User: your snowflake user

  • Password: your PAT

  • Connection String: dsn=$DSN$;user=$USER$;pwd=$PASSWORD$;

RED 8 or RED 9 or

...

10 without Advanced Connect

...

Without the Advanced Connect feature, added in RED 9.0 and RED 10.2, your only option is to enter the PAT directly into the DSN (or registry), USER DSN preferred. The PAT can’t be entered into the RED UI password field due to the length restrictions of the field when using Legacy Connect.

...