Suraj-kumar00 commented on issue #62037:
URL: https://github.com/apache/airflow/issues/62037#issuecomment-3922237129

   Hey @Poornima030596  👋, I've done some investigation and here's what I found:
   
   After analyzing the codebase and the [Snowflake PAT 
docs](https://docs.snowflake.com/en/user-guide/programmatic-access-tokens), 
PATs can be used in **two ways:**
   
   * **As a password** passed directly to 
`snowflake.connector.connect(password=<PAT>)`
   * **As a bearer token for REST/SQL APIs** — via `Authorization: Bearer 
<PAT>` with header `X-Snowflake-Authorization-Token-Type: 
PROGRAMMATIC_ACCESS_TOKEN`
   
   ### Current state of the Airflow Snowflake provider:
   
   **`SnowflakeHook` (Python connector path):**
   PATs already work here the password is passed straight through to the 
connector. Only a docs update is needed to mention PAT as a supported auth 
method in the *Password* field.
   
   **`SnowflakeSqlApiHook` (SQL API path):**
   This is where the actual gap exists.
   `get_headers()` currently supports only OAuth and JWT key-pair auth. There's 
no code path to send a PAT as a bearer token with the required 
`X-Snowflake-Authorization-Token-Type: PROGRAMMATIC_ACCESS_TOKEN` header.
   
   > Note: The SnowflakeSqlApiOperator docstring currently says "This Operator 
currently uses key pair authentication" this is already stale since OAuth 
support was added later. This will also be updated as part of the PR.
   
   
   
   ### Proposed approach:
   
   * **Docs-only for `SnowflakeHook`** document that PATs can be used in the 
*Password* field
   * **Code + Docs for `SnowflakeSqlApiHook`** add a new auth path in 
`get_headers()` triggered by `authenticator: programmatic_access_token` in 
connection extras, which sends the PAT as a bearer token with the correct header
   * **Fix stale docstring** in SnowflakeSqlApiOperator
   
   Would appreciate feedback on this approach before I submit the PR.
   
   cc @eladkal @jroachgolf84 @potiuk


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to