dbt-snowflake: MFA Token not being cached

Describe the bug

I’m trying to get Snowflake’s DUO-based MFA working when running dbt in a linux container running on my laptop. Technically it works, but it’s not caching the token and I have to repeatedly re-authorize. I have tried:

  • Setting ALLOW_CLIENT_MFA_CACHING to true for the account
  • Setting ALLOW_ID_TOKEN to true for the account
  • Setting authenticator: username_password_mfa in profiles.yml

All that, and yet, every time I run dbt, I get 4 MFA auth requests right away, and then 1 for each model that it runs. Obviously, this is impractical with 10-100’s of models. I’m wondering what else I might be missing, if anything. I swear there used to be a note in Snowflake’s docs that some aspect of this only worked on Mac and Windows environments, but I can’t find that anymore and was hopeful that it had been resolved for linux. Perhaps this is a dbt defect that isn’t sending the right auth method to the python lib?

System information

The output of dbt --version:

root@bbafbba2e1dc:/dbt-runner/dbt# dbt --version
installed version: 0.21.0
   latest version: 0.21.1

Your version of dbt is out of date! You can find instructions for upgrading here:
https://docs.getdbt.com/docs/installation

Plugins:
  - snowflake: 0.21.0

The operating system you’re using: Using a linux container built based on this dockerfile (with some minor modifications)

root@bbafbba2e1dc:/dbt-runner/dbt# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


root@bbafbba2e1dc:/dbt-runner/dbt# uname -r
5.10.47-linuxkit

The output of python --version:

root@bbafbba2e1dc:/dbt-runner/dbt# python --version
Python 3.8.12

Version of snowflake connector: snowflake-connector-python[secure-local-storage]==2.5.1

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 20 (8 by maintainers)

Commits related to this issue

Most upvoted comments

Doing some repo cleanup and wanted to leave for posterity the note that the following must be done to cache:

  • form a role/user with appropriate permissions, run alter account set allow_client_mfa_caching = true;
  • add to profiles.yml, authenticator: username_password_mfa

Both are needed to end the incessant pinging. Verified on MacOS and Linux. I was able to verify this even applies midrun! As of me writing this message, any user running off main’s sha will have access to this quality of life enhancement, and it will be ported in due course.

I’ll be making sure this is ported to our docs (PR up, merge date unknown at this time)

+1
VersusFacit on Mar 19, 2022

Update: for some reason, after the update I’ve now tried again by adding the authenticator to profiles.yml and it works

+1
KKaers on Jan 19, 2022
Read more comments on GitHub
← dbt-snowflake: [CT-852] [CT-836] [Bug] externalbrowser authenticator opens a browser tab for each dbt thread
dbt-spark: [CT-202] Workaround for some limitations due to `list_relations_without_caching` method →