kaxil commented on code in PR #68107:
URL: https://github.com/apache/airflow/pull/68107#discussion_r3366017768
##########
providers/snowflake/src/airflow/providers/snowflake/hooks/snowflake.py:
##########
@@ -407,6 +412,13 @@ def _get_static_conn_params(self) -> dict[str, str | None]:
if client_store_temporary_credential:
conn_config["client_store_temporary_credential"] =
client_store_temporary_credential
+ # Workload Identity Federation (keyless auth): when the connection sets
+ # ``authenticator=WORKLOAD_IDENTITY``, the connector also needs to
know which
+ # cloud the workload runs on. One value (AWS, AZURE, GCP or OIDC)
covers all
+ # providers. See
https://docs.snowflake.com/en/user-guide/workload-identity-federation.
+ if workload_identity_provider:
Review Comment:
Good catch, I didn't notice this as I tested it with GCP, where the
connector pulls the token from the metadata service. OIDC is the one provider
that needs the caller to supply the token (otherwise the connector raises
`token must be provided if workload_identity_provider=OIDC`).
Pushed `2bd5476` forwarding `token` and `token_file_path` from the
connection extra, with docs and tests for both. `token_file_path` is the nicer
path for rotated tokens (e.g. a projected Kubernetes service-account token).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
