Is there anyway to use the identity in SageMaker to authenticate to external services like Snowflake?

0

In my company the users are required to authenticate to Snowflake using MFA, therefore they can't connect to snowflake using username/password,. Usually when they connect with the snowflake-connector-python from their laptops they have to use authenticator="externalbrowser", that opens a browser window and they perform the authentication with Azure AD.

Now when we try to do the same thing in SageMaker it won't work as the snowflake-connector-python does not have a way to open a browser in this case.

I was wondering if there was anyway to get a JWT/ OAuth access_token with the current role, etc from Sagemaker (in the Sagemaker notebook) so that we could use that to authenticate to snowflake instead.

I mean something like in EKS IRSA where Kubernetes provides the pods with a JWT token generated by EKS itself or like GitLab CI_JOB_JWT_V2.

Is there something similar in SageMaker?

I come up with the following workaround but it's honestly a lot of work and would like to avoid it if possible:

  • Setup a secret per user in AWS Secrets Manager, the secret will contain a JWT signed by a private key controlled by me, the JWT is short lived (1 hour)
  • Setup secret rotation , to generate a new JWT per user every 45 minutes and update the secret in Secret Manager
  • Setup permissions for each secret so each user can only see their JWT and not the others That way the users will have to fetch the current JWT from AWS Secrets Manager each time, and use that to authentiate to Snowflake (provided that I setup a Snowflake security integration for external OAuth, where I trust that JWT issuer

Any one can come up with a simpler setup?

Best regards/Rubén

ecerulm
preguntada hace un año724 visualizaciones
2 Respuestas
0

Hi,

maybe another option for you: use AWS Identity Center (via SageMaker) - formerly known as AWS SSO - as identity provider to Snowflake:

lots of applications already integrated https://docs.aws.amazon.com/singlesignon/latest/userguide/saasapps.html

Snowflake itself has an article to describe how to do it: https://community.snowflake.com/s/article/How-To-Configure-AWS-Single-Sign-On-as-an-Identity-provider-for-SSO-with-Snowflake

profile pictureAWS
EXPERTO
respondido hace un año
  • But that won't work either , the users need to use snowflake-connector-python on the sagemaker studio notebook and the notebook will not be able to trigger the SSO with AWS Identity Cente either.

    If the I execute the following in a SageMaker Studio notebook:

    conn = snowflake.connector.connect(
        account="xxxxx",
        user="myusername",
        authenticator="externalbrowser",
        database="sandbox",
        schema="xxx",
        warehouse="xxx",
    )  
    

    I will be presented with a prompt saying that snowflake-connector-python couldn't open a browser:

    Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
    Going to open: https://login.microsoftonline.com/xxxx/saml2?SAMLRequest=xxxx&RelayState=xxx to authenticate...
    We were unable to open a browser window for you, please open the url above manually then paste the URL you are redirected to into the terminal.
    Enter the URL the SSO URL redirected you to: _____
    

    If I actually follow that process of copying (the really long URL) to my browser , the login process will complete on an error page http://localhost:xxxx/?token=xxxx if I copy that final URL onto the Enter the URL the SSO URL redirected you to ____ then it will actually work.

    But the whole process it's not very user friendly

  • Can't you add some code catching this message, parsing the url and then sending a request to this url? (It's not ideal, I agree but it may at least provide at least a better user experience

0

Currently facing the same issue. Or actually worse, since the "externalbrowser" authenticator does not work in my local browser, as it redirects me to snowflake which is not reachable over public internet in our setup. Didier_Durand's answer would by the way not work, as the cell is in a pending status until the response URL is returned, making it impossible to do custom parsing/handling here.

respondido hace 7 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas