You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
resource"snowflake_secret_with_client_credentials""example" {
provider=snowflake.accountadminname="example"database="workspace"schema="example"api_authentication=snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name// oauth_scopes = ["something scope"]comment="Secret for Snowflake Connector for Google Analytics Raw Data"
}
Category
category:resource
Object type(s)
resource:api_integration
Expected Behavior
According to the Snowflake SQL documentation, the oauth_scopes parameter is optional when creating secrets with client credentials. Therefore, when using the Terraform provider to manage such secrets, specifying oauth_scopes should also be optional. Users should be able to omit oauth_scopes entirely if it’s not needed.
Actual Behavior
In the current Terraform provider implementation for snowflake_secret_with_client_credentials, oauth_scopes is treated as a required parameter. Even if the underlying Snowflake configuration considers it optional, the Terraform provider forces the user to provide a value. As a result, users cannot create a secret resource without explicitly specifying oauth_scopes, which contradicts the optional nature described in the Snowflake SQL reference.
Steps to Reproduce
Create api_authentication_integration and snowflake_secret_with_client_credentials as follows: snowflake_secret_with_client_credentials auth_ scopes of snowflake_secret_with_client_credentials can be reproduced by setting it to empty.
# client secret is dummy value generated by openssl# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 | ruby -e 'puts STDIN.read.lines.reject{|l|l.include?("-----")}.join.gsub("\n","")'resource"snowflake_api_authentication_integration_with_jwt_bearer""snowflake_connector_for_gard" {
provider=snowflake.accountadminenabled=truename=var.security_integration_namecomment="Security integration for Snowflake Connector for Google Analytics Raw Data"oauth_client_id="dummy"
oauth_client_secret = "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC/J7hwtsysaaph2C3b/R3XBskOZ95g1KUsfZKDC45Q/2gp5p+LSr+1SKzf3wwpPsbmHw5g2quvPrNf4gw6Pc6Oy3iPgl0LiOPQtME5Dil7WS8/iYN3wNqa8cuWfNtuw3E1kOEloqO5TajYDbFzss2Xs7knhWoDvurby9iMnnCrakvz8aXlaa0Rc0iKrZZv6JMz4+bX4A0R9NFxlC6/NErFtxO3Y2ht+IJ8oSASTKmiS06pMTkEJQVXyFXgghPo91qrzrPu8dIn10HrzZ+YkwSg0huQUS4mi8Fw82prny1chTtb4XL8+xoSN/LARC2I29QgSWBehSbHiF7rnklMwHARAgMBAAECggEAbNsozH889R5DWe7qxrFQ8ee6TUrXN5tA6KIl8hx9kiCwZ9QenQsXOxxE3kQ9v6sxR1D+Niewx15UddDbl7skyuqSIF9jrzLoUSzuMBihhM3X+z3LMUIQ+1Wg03UM3PnNmWyE2pLQ27Ce61J48GMtcyt00E3IfpOVWU+vZPzBOsuUL1qhD2lZTB/8MUr4uqMwNMk3RWfiQXCy8SXi8ck+IYVKqjjSktyqMLbbqgBc/kZdHaQJG59BgW9tNcBEsCOpg4mmOdmpmxwZpQKz3PscoDHmSVZ5qyGh0MPVwG2gcFVWFVkup98UFDyuW38B0i2NMd2TO1tEYTqc7d1kkYIORQKBgQDsTHGCjAWG0GfrbOZv1FvvjX5MZA7LcQOK3Y+nLnnrij32zGd/x0uCEsHHRRKFnqM3R+CujLv/Z1a66vBjF2Td5jfL6VjfzDF2MZkJWRCxdKhM0UrAD0LKvRdwuHOvYkEL7kNdyAG8gmm9mF44zXCky75ML/CmDP5JgT261zGUTwKBgQDPF7xHTlE7sX7fvrgYIU0ymam1wyb7EE/pjw16/on8fiTGdxrMUShsL5168SEKybEw6u1SPgIaj4xYgQuIB6D6Ej/F28wGjbyv9bAVpmoCz/uj9mHWptDq41CoQZ3cJNLbrU4oL8GCeFWRL/SgRx1nSxXyaB0HCFF6jeLZFVm9nwKBgBTPtr+UrXfuKvjlInZ+8YnroFACD/uC/JjiYqCKy1ofVs3BuuvaFaBjHoX6Y2M5UY6w2e0FoBkidNUJlBpmGRAiEo/3AUjUpxaNz7ivC3VVnO0HEdpQfcV1Wfcnh6jOsoPmfDBqSRzdL4rvPH0sOtuIxj3Xiw5U3qCCrXkjMs6pAoGAet1YJO4AH+xEm7ZpPlezl0u3dlEb9WROJQFsPAZ8E0M7ykurqICV/OmbAu/AbMgQyjb3Kg4D7YIw/+k/0CrGhNcC4v5uY4z/311iZNXgm16Nq09n6JP76v+GQOz9HTjzqMV/UzRSGHgQPB05g0Xt2fSgRrsiTaPPw2geqDCUl30CgYA3P8RQM0uOpsP+N8QmxOWOeDS/G2GrqarzmrJy7yvvFP1vpirSyTZ3ChInGRawQBp3pWiBUrvd+ktqaQFB/WEMOQDmYqCv32wRtmE4r90+uROg336z6/HtEyEPOa/8DWsnXRQkHwJZYwHjMgrFZetcXRj56DSasSv8kTZW9C1EkQ=="
oauth_assertion_issuer="dummy"oauth_token_endpoint="https://oauth2.googleapis.com/token"
}
resource"snowflake_secret_with_client_credentials""example" {
provider=snowflake.accountadminname="example"database="workspace"schema="example"api_authentication=snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name// oauth_scopes = ["something scope"]comment="Secret for Snowflake Connector for Google Analytics Raw Data"
}
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
No response
Would you like to implement a fix?
Yeah, I'll take it 😎
The text was updated successfully, but these errors were encountered:
Thanks for raising the issue.
As you have shown interest in providing a fix, please read our contributing guidelines, and in case of any issues (or questions about the implementation), use this thread for communication.
Hey @TrsNium 👋
Snowflake SQL documentation states that the parameter ouath_scopes for secret with client credentials is required. However, you are right about the behavior of the object itself. On Snowlight, it is possible to create the secret with client credentials without specifying the oauth_scopes parameter.
We make the resources according to the documentation, not to the undocumented behavior, and that's why this parameter is marked as required.
Thanks for reporting the issue, it will help us push this issue further internally.
Lost a fair bit of time trying to figure this one.
I was starting to wonder if this was a secret of type CLOUD_PROVIDER_TOKEN which is not yet available in Terraform but that I could find on the documentation. Looking forward to hear what's the retained final behavior then.
Terraform CLI Version
1.7.0
Terraform Provider Version
0.99.0
Company Name
No response
Terraform Configuration
Category
category:resource
Object type(s)
resource:api_integration
Expected Behavior
According to the Snowflake SQL documentation, the oauth_scopes parameter is optional when creating secrets with client credentials. Therefore, when using the Terraform provider to manage such secrets, specifying oauth_scopes should also be optional. Users should be able to omit oauth_scopes entirely if it’s not needed.
Actual Behavior
In the current Terraform provider implementation for snowflake_secret_with_client_credentials, oauth_scopes is treated as a required parameter. Even if the underlying Snowflake configuration considers it optional, the Terraform provider forces the user to provide a value. As a result, users cannot create a secret resource without explicitly specifying oauth_scopes, which contradicts the optional nature described in the Snowflake SQL reference.
Steps to Reproduce
Create api_authentication_integration and snowflake_secret_with_client_credentials as follows: snowflake_secret_with_client_credentials auth_ scopes of snowflake_secret_with_client_credentials can be reproduced by setting it to empty.
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
No response
Would you like to implement a fix?
The text was updated successfully, but these errors were encountered: