Password rotation strategy for snowflake when using multi-tenant tables

Question

We are using snowflake database and we have created multi-tenant tables. We have created user-name and password for each tenant. These user-name and password are used in applications that use AWS quicksight and microsoft power bi tool. These user-names and password are NOT directly accessible by tenant, instead only our own application teams have access to them. We cant use key pair authentication as quicksight does not support it yet.

Question: Looking for a pattern on how to rotate these password without downtime, we want to rotate this password on a fixed schedule, like every 6 months.

How about creating a new user with same access rights, giving some time to migrate to the new user, disabling the old user? — Marek Puchalski, Aug 24 '22 at 05:42

score 1 · Answer 1 · answered Aug 29 '22 at 15:58

1

We decide to go with 2 user strategy and alternate between the 2. We manage these users ourselves.

answered Aug 29 '22 at 15:58

user3822232

141
1
8

score 0 · Answer 2 · answered Aug 25 '22 at 04:29

Consider the "Snowflake Database Secrets Engine" by Hashicorp Vault:

https://www.vaultproject.io/docs/secrets/databases/snowflake

"This plugin generates database credentials dynamically based on configured roles for Snowflake-hosted databases and supports Static Roles"

For example, you can configure it to rotate passwords every 24 hours, and it gives you an endpoint to retrieve the latest password.

Password rotation strategy for snowflake when using multi-tenant tables

2 Answers2