kaxil opened a new pull request, #68107: URL: https://github.com/apache/airflow/pull/68107
`SnowflakeHook` already forwards `authenticator` from the connection extra, so a connection can set `authenticator=WORKLOAD_IDENTITY`. But `_get_static_conn_params()` dropped the companion `workload_identity_provider` param, so the connector failed at connect time: ``` 251017: workload_identity_provider must be set to one of AWS,AZURE,GCP,OIDC when authenticator is WORKLOAD_IDENTITY. ``` This forwards `workload_identity_provider` from the connection extra into the connector call so keyless [Workload Identity Federation](https://docs.snowflake.com/en/user-guide/workload-identity-federation) works. With WIF no long-lived secret (password, key-pair or PAT) is stored anywhere; the workload's cloud identity is the credential. Fixes #54983. ## What changed - Forward `workload_identity_provider` in `SnowflakeHook._get_static_conn_params()` when it is set in the connection extra, so it reaches `snowflake.connector.connect()`. - Expose it as a connection-form widget so it is settable from the UI. - Document the `WORKLOAD_IDENTITY` authenticator and the new extra, with a JSON connection example. - Bump `snowflake-connector-python` to `>=3.17.0`, the first release that supports WIF. ## Design notes - **One param covers all clouds.** The connector takes a single `workload_identity_provider` value (`AWS`, `AZURE`, `GCP` or `OIDC`), so the field is not split per cloud. GCP needs no issuer. - **Pure passthrough, no hook-side allowlist.** The hook forwards the value as-is rather than validating it against a hard-coded list. The connector already validates and raises a clear error, and a local allowlist would drift as Snowflake adds providers. - **Version floor.** WIF landed in `snowflake-connector-python` 3.17.0 (the `WORKLOAD_IDENTITY` authenticator plus the `workload_identity_provider`/`workload_identity_entra_resource` params). The provider previously floored at 3.16.0, so the floor is raised to keep the documented feature working on every supported version. ## Usage ```bash export AIRFLOW_CONN_SNOWFLAKE_DEFAULT='{ "conn_type": "snowflake", "login": "service-user", "extra": { "account": "account", "database": "database", "warehouse": "warehouse", "role": "role", "authenticator": "WORKLOAD_IDENTITY", "workload_identity_provider": "GCP" } }' ``` The Snowflake side needs a `TYPE = SERVICE` user that trusts the workload's cloud identity and is granted a role with access to the target objects. Authorization (the role grant) is independent of authentication. ## Gotchas WIF is keyless only when the task runs on the named cloud: the connector attests against that cloud's metadata/identity endpoint. Run a WIF connection off-cloud and the connector fails at attestation (`251018`), not at the missing-param gate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
