RPC for Snowflake in Secret Server

RPC for Snowflake in Secret Server applies to Snowflake SQL database user accounts, including both admin and non-admin user accounts.

Prerequisites

Make sure you have:

  • Two active Snowflake accounts. One of these accounts must be a privileged admin account which will be used for password changing.

  • A Secret Server user who can create two Snowflake secrets.

    • Optionally, admin credentials for Secret Server (the Limited_User_Admin role) must be assigned to the admin account.

  • The RPC feature enabled in Secret Server.

  • Permission to create and configure secrets.

  • Heartbeat monitoring and remote password-changing features enabled in Secret Server.

  • A site with a distributed engine that has access to the internet.

The creation of custom roles and the setup of user-role relationships are not part of the password changer implementation itself. These steps are a prerequisite that you must perform in order to use the password changer securely and correctly.

Role Usage Scenarios

  • The user can define a custom role for managing multiple users and their passwords. Essentially, this role would function like a group while still being a role.

    Example: A user can create a user-defined role named Custom_Role. User1, User2, User3, User4, and User5 are users, owned by Custom_Role. User1 has been assigned to Custom_Role, allowing this user to manage the passwords of the other users who also belong to Custom_Role as well.

  • Two roles can be created, each managing their own set of users.

    Example: Two roles are created: AccountAdmin and Limited_User_Admin, each have multiple separate user accounts assigned to them. One of these accounts is AccountUser1, which has both roles assigned to it. This allows AccountUser1 to rotate the passwords of users belonging to both roles.

    AccountUser1 needs to use the following commands:

    • USE ROLE AccountAdmin before doing password rotation for any of the users assigned to that role.

    • USE ROLE Limited_User_Admin before doing password rotation for users assigned to this second role, respectively.

Configuration

  1. Log into Secret Server.

  2. Navigate to All Secrets and click the Create secret button, the Create new secret popup appears.

  3. Search for the Snowflake account template and select it. The popup refreshes automatically to reflect the fields you must fill in.

  4. Complete the following fields:

    1. Secret name: give the secret an appropriate name.

    2. AccountId: you will find this as a part of your Snowflake URL (starts with lsb followed by several numbers).

    3. Username: the username used to sign into the Snowflake account.

    4. Password: the password used to sign into the Snowflake account.

    5. Site: set a site with a distributed engine that can access Snowflake services.

    6. Leave Auto Change Enabled unchecked and click Create secret. The newly created secret loads automatically for viewing.

  5. The Heartbeat operation runs automatically to check if the entered credentials are valid. If the credentials are valid the status will change from Pending to Success.

    If the credentials are not valid the status will change from Pending to Failed.

    The distributed engine checks for RPC every 300 seconds. If the heartbeat state remains in Pending for longer than 300 seconds, confirm that the site has an operational distributed engine by accessing Settings > Sites and engines.

    To verify the status of the heartbeat processes, navigate to Settings > Heartbeat Log.

  6. Navigate to the Remote password changing tab and select Edit for the RPC/Autochange section.

  7. For Change password using, select the Privileged account credentials option.

    1. If you chose the option above, the Change password using option appears, and you must select a secret by clicking on the No secret selected link.

    2. A popup will appear where you can search for the secret you want to associate.

    3. Select a Snowflake user with the Limited_User_Admin role used to process the password change.

    4. Click Save.

  8. (Optional) Access the Change password now option button from the top right corner if you want to change the secret password. Alternatively, it can be found under the Options dropdown list: