Add support for workload identity federation #2203
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
All contributors have signed the CLA ✍️ ✅ |
sfc-gh-pmansour
requested review from
sfc-gh-dbasavin,
sfc-gh-eworoshow and
sfc-gh-jkasten
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
sfc-gh-pmansour
force-pushed
the
pmansour/SNOW-1927956-wif
branch
from
ed1542e to
d927243
Compare
sfc-gh-pmansour
added
NO-CHANGELOG-UPDATES
sfc-gh-pmansour
commented
Mar 12, 2025
sfc-gh-pmansour
commented
Mar 14, 2025
Contributor
Author
sfc-gh-pmansour
left a comment
sfc-gh-pmansour
left a comment
There was a problem hiding this comment.
Posting on behalf of Maxim
sfc-gh-mmishchenko
approved these changes
Mar 14, 2025
sfc-gh-pmansour
force-pushed
the
pmansour/SNOW-1927956-wif
branch
from
d3d2124 to
70f399c
Compare
…d fixtures, add support for Azure Functions MDS
sfc-gh-pmansour
force-pushed
the
pmansour/SNOW-1927956-wif
branch
from
c2912f8 to
b6bc1ee
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please answer these questions before submitting your pull requests. Thanks!
What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.
Fixes SNOW-1967309: SNOW-1927956: Add support for workload identity federation #2202
Fill out the following pre-review checklist:
Please describe how your code solves the related issue.
Adds a new authentication plugin called
AuthByWorkloadIdentity, and plumbs it through the connection creation. This relies on a few parameters:authenticator: This is an existing parameter, but now has a new supported valueWORKLOAD_IDENTITY.workload_identity_provider: A new optional parameter that can describe how to load the workload identity credential. Can be AWS, AZURE, GCP, OIDC or None. If this is set to None, it will attempt to auto-discover a credential based on the environment.workload_identity_entra_resource: A new optional parameter, to be used when targeting a custom Azure Entra ID application as the resource, for example in a sovereign cloud.There is a broad suite of tests for all the new functionality, including a set of new fixtures that fake the behavior of the major CSP metadata services.
Usage examples:
These changes cannot be used yet as the backend support is not ready. They're gated by a new environment variable
SF_ENABLE_EXPERIMENTAL_AUTHENTICATIONwhich must be set.Also note that the default Entra ID application resource is not ready yet, so I used a placeholder value that's guaranteed to fail in reality. This will be updated in a follow-up PR once that application is ready.