Implement Key-Pair Authentication for Athena Snowflake Connector (awslabs#2857)

Co-authored-by: Dai Ozaki <[email protected]>
Co-authored-by: chngpe <[email protected]>

Author: 3 people

athena-snowflake/pom.xml

@@ -32,11 +32,20 @@
             <artifactId>snowflake-jdbc</artifactId>
             <version>3.25.1</version>
         </dependency>
-        <!-- https://mvnrepository.com/artifact/org.json/json -->
         <dependency>
-            <groupId>org.json</groupId>
-            <artifactId>json</artifactId>
-            <version>20250517</version>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.78.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>1.78.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcutil-jdk18on</artifactId>
+            <version>1.78.1</version>
         </dependency>
         <!-- https://mvnrepository.com/artifact/software.amazon.awssdk/rds -->
         <dependency>

athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeConstants.java

@@ -35,11 +35,36 @@ public final class SnowflakeConstants
      */
     public static final int SINGLE_SPLIT_LIMIT_COUNT = 10000;
     public static final String SNOWFLAKE_QUOTE_CHARACTER = "\"";
+
+    /** Configuration key for specifying the authentication method */
+    public static final String AUTHENTICATOR = "authenticator";
+
+    /**
+     * OAuth 2.0 Authentication Constants
+     * These constants are used for configuring OAuth-based authentication with Snowflake.
+     */
     public static final String AUTH_CODE = "auth_code";
     public static final String CLIENT_ID = "client_id";
     public static final String TOKEN_URL = "token_url";
     public static final String REDIRECT_URI = "redirect_uri";
     public static final String CLIENT_SECRET = "client_secret";
 
+    /**
+     * Key-Pair Authentication Constants
+     * These constants are used for configuring public/private key pair authentication with Snowflake.
+     */
+    public static final String SF_USER = "sfUser";
+    public static final String PEM_PRIVATE_KEY = "pem_private_key";
+    public static final String PEM_PRIVATE_KEY_PASSPHRASE = "pem_private_key_passphrase";
+    public static final String PRIVATE_KEY = "privateKey";
+    
+    /**
+     * Password Authentication Constants
+     * These constants are used for traditional username/password authentication with Snowflake.
+     */
+    public static final String USERNAME = "username";
+    public static final String PASSWORD = "password";
+    public static final String USER = "user";
+
     private SnowflakeConstants() {}
 }

athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeCredentialsProvider.java

@@ -22,9 +22,11 @@
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connector.credentials.DefaultCredentials;
 import com.amazonaws.athena.connector.lambda.security.CachableSecretsManager;
+import com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthType;
+import com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthUtils;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.common.annotations.VisibleForTesting;
-import org.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
@@ -43,10 +45,14 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthType.OAUTH;
+import static com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthUtils.getUsername;
+import static com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthUtils.validateCredentials;
+
 /**
- * Snowflake OAuth credentials provider that manages OAuth token lifecycle.
- * This provider handles token refresh, expiration, and provides credential properties
- * for Snowflake OAuth connections.
+ * Snowflake credentials provider that manages multiple authentication methods.
+ * This provider handles OAuth token lifecycle, key-pair authentication, and password authentication.
+ * Authentication method is automatically determined based on the secret contents.
  */
 public class SnowflakeCredentialsProvider implements CredentialsProvider
 {
@@ -56,10 +62,6 @@ public class SnowflakeCredentialsProvider implements CredentialsProvider
     public static final String FETCHED_AT = "fetched_at";
     public static final String REFRESH_TOKEN = "refresh_token";
     public static final String EXPIRES_IN = "expires_in";
-    public static final String USERNAME = "username";
-    public static final String PASSWORD = "password";
-    public static final String USER = "user";
-
     private final String oauthSecretName;
     private final CachableSecretsManager secretsManager;
     private final ObjectMapper objectMapper;
@@ -82,8 +84,8 @@ public DefaultCredentials getCredential()
     {
         Map<String, String> credentialMap = getCredentialMap();
         return new DefaultCredentials(
-            credentialMap.get(USER),
-            credentialMap.get(PASSWORD)
+            credentialMap.get(SnowflakeConstants.USER),
+            credentialMap.get(SnowflakeConstants.PASSWORD)
         );
     }
 
@@ -92,32 +94,71 @@ public Map<String, String> getCredentialMap()
     {
         try {
             String secretString = secretsManager.getSecret(oauthSecretName);
-            Map<String, String> oauthConfig = objectMapper.readValue(secretString, Map.class);
+            Map<String, String> secretMap = objectMapper.readValue(secretString, Map.class);
 
-            if (oauthConfig.containsKey(SnowflakeConstants.AUTH_CODE) && !oauthConfig.get(SnowflakeConstants.AUTH_CODE).isEmpty()) {
-                // OAuth flow
-                String accessToken = fetchAccessTokenFromSecret(oauthConfig);
-                
-                Map<String, String> credentialMap = new HashMap<>();
-                credentialMap.put(USER, oauthConfig.get(USERNAME));
-                credentialMap.put(PASSWORD, accessToken);
-                credentialMap.put("authenticator", "oauth");
-                
-                return credentialMap;
-            }
-            else {
-                // Fallback to standard credentials
-                return Map.of(
-                        USER, oauthConfig.get(USERNAME),
-                        PASSWORD, oauthConfig.get(PASSWORD)
-                );
+            // Determine authentication type based on secret contents
+            SnowflakeAuthType authType = SnowflakeAuthUtils.determineAuthType(secretMap);
+            // Validate credentials once after determining auth type
+            validateCredentials(secretMap, authType);
+            switch (authType) {
+                case SNOWFLAKE_JWT:
+                    // Key-pair authentication
+                    return handleKeyPairAuthentication(secretMap);
+                case OAUTH:
+                    // OAuth flow
+                    return handleOAuthAuthentication(secretMap);
+                case SNOWFLAKE:
+                default:
+                    // Password authentication (backward compatible)
+                    return handlePasswordAuthentication(secretMap);
             }
         }
         catch (Exception ex) {
             throw new RuntimeException("Error retrieving Snowflake credentials: " + ex.getMessage(), ex);
         }
     }
 
+    /**
+     * Handles key-pair authentication.
+     */
+    private Map<String, String> handleKeyPairAuthentication(Map<String, String> oauthConfig)
+    {
+        Map<String, String> credentialMap = new HashMap<>();
+        String username = getUsername(oauthConfig);
+        credentialMap.put(USER, username);
+        credentialMap.put(SnowflakeConstants.PEM_PRIVATE_KEY, oauthConfig.get(SnowflakeConstants.PEM_PRIVATE_KEY));
+        credentialMap.put(SnowflakeConstants.PEM_PRIVATE_KEY_PASSPHRASE, oauthConfig.get(SnowflakeConstants.PEM_PRIVATE_KEY_PASSPHRASE));
+        LOGGER.debug("Using key-pair authentication for user: {}", username);
+        return credentialMap;
+    }
+
+    /**
+     * Handles OAuth authentication.
+     */
+    private Map<String, String> handleOAuthAuthentication(Map<String, String> oauthConfig) throws Exception
+    {
+        String accessToken = fetchAccessTokenFromSecret(oauthConfig);
+        Map<String, String> credentialMap = new HashMap<>();
+        String username = getUsername(oauthConfig);
+        credentialMap.put(SnowflakeConstants.USER, username);
+        credentialMap.put(SnowflakeConstants.PASSWORD, accessToken);
+        credentialMap.put(SnowflakeConstants.AUTHENTICATOR, OAUTH.getValue());
+        LOGGER.debug("Using OAuth authentication for user: {}", username);
+        return credentialMap;
+    }
+
+    /**
+     * Handles password authentication (backward compatible).
+     */
+    private Map<String, String> handlePasswordAuthentication(Map<String, String> oauthConfig)
+    {
+        Map<String, String> credentialMap = new HashMap<>();
+        credentialMap.put(SnowflakeConstants.USER, getUsername(oauthConfig));
+        credentialMap.put(SnowflakeConstants.PASSWORD, oauthConfig.get(SnowflakeConstants.PASSWORD));
+        LOGGER.debug("Using password authentication for user: {}", getUsername(oauthConfig));
+        return credentialMap;
+    }
+
     private String loadTokenFromSecretsManager(Map<String, String> oauthConfig)
     {
         if (oauthConfig.containsKey(ACCESS_TOKEN)) {
@@ -126,20 +167,27 @@ private String loadTokenFromSecretsManager(Map<String, String> oauthConfig)
         return null;
     }
 
-    private void saveTokenToSecretsManager(JSONObject tokenJson, Map<String, String> oauthConfig)
+    private void saveTokenToSecretsManager(ObjectNode tokenJson, Map<String, String> oauthConfig)
     {
         // Update token related fields
         tokenJson.put(FETCHED_AT, System.currentTimeMillis() / 1000);
-        oauthConfig.put(ACCESS_TOKEN, tokenJson.getString(ACCESS_TOKEN));
-        oauthConfig.put(REFRESH_TOKEN, tokenJson.getString(REFRESH_TOKEN));
-        oauthConfig.put(EXPIRES_IN, String.valueOf(tokenJson.getInt(EXPIRES_IN)));
-        oauthConfig.put(FETCHED_AT, String.valueOf(tokenJson.getLong(FETCHED_AT)));
+        oauthConfig.put(ACCESS_TOKEN, tokenJson.get(ACCESS_TOKEN).asText());
+        oauthConfig.put(REFRESH_TOKEN, tokenJson.get(REFRESH_TOKEN).asText());
+        oauthConfig.put(EXPIRES_IN, String.valueOf(tokenJson.get(EXPIRES_IN).asInt()));
+        oauthConfig.put(FETCHED_AT, String.valueOf(tokenJson.get(FETCHED_AT).asLong()));
 
         // Save updated secret
-        secretsManager.getSecretsManager().putSecretValue(builder -> builder
-                .secretId(this.oauthSecretName)
-                .secretString(String.valueOf(new JSONObject(oauthConfig)))
-                .build());
+        try {
+            String updatedSecretString = objectMapper.writeValueAsString(oauthConfig);
+            secretsManager.getSecretsManager().putSecretValue(builder -> builder
+                    .secretId(this.oauthSecretName)
+                    .secretString(updatedSecretString)
+                    .build());
+        }
+        catch (Exception e) {
+            LOGGER.error("Failed to save updated secret: ", e);
+            throw new RuntimeException("Failed to save updated secret: ", e);
+        }
     }
 
     private String fetchAccessTokenFromSecret(Map<String, String> oauthConfig) throws Exception
@@ -155,9 +203,9 @@ private String fetchAccessTokenFromSecret(Map<String, String> oauthConfig) throw
 
         if (accessToken == null) {
             LOGGER.debug("First time auth. Using authorization_code...");
-            JSONObject tokenJson = getTokenFromAuthCode(authCode, redirectUri, tokenEndpoint, clientId, clientSecret);
+            ObjectNode tokenJson = getTokenFromAuthCode(authCode, redirectUri, tokenEndpoint, clientId, clientSecret);
             saveTokenToSecretsManager(tokenJson, oauthConfig);
-            accessToken = tokenJson.getString(ACCESS_TOKEN);
+            accessToken = tokenJson.get(ACCESS_TOKEN).asText();
         }
         else {
             long expiresIn = Long.parseLong(oauthConfig.get(EXPIRES_IN));
@@ -169,16 +217,16 @@ private String fetchAccessTokenFromSecret(Map<String, String> oauthConfig) throw
             }
             else {
                 LOGGER.debug("Access token expired. Using refresh_token...");
-                JSONObject refreshed = refreshAccessToken(oauthConfig.get(REFRESH_TOKEN), tokenEndpoint, clientId, clientSecret);
+                ObjectNode refreshed = refreshAccessToken(oauthConfig.get(REFRESH_TOKEN), tokenEndpoint, clientId, clientSecret);
                 refreshed.put(REFRESH_TOKEN, oauthConfig.get(REFRESH_TOKEN));
                 saveTokenToSecretsManager(refreshed, oauthConfig);
-                accessToken = refreshed.getString(ACCESS_TOKEN);
+                accessToken = refreshed.get(ACCESS_TOKEN).asText();
             }
         }
         return accessToken;
     }
 
-    private JSONObject getTokenFromAuthCode(String authCode, String redirectUri, String tokenEndpoint, String clientId, String clientSecret) throws Exception
+    private ObjectNode getTokenFromAuthCode(String authCode, String redirectUri, String tokenEndpoint, String clientId, String clientSecret) throws Exception
     {
         String body = "grant_type=authorization_code"
                 + "&code=" + authCode
@@ -187,15 +235,15 @@ private JSONObject getTokenFromAuthCode(String authCode, String redirectUri, Str
         return requestToken(body, tokenEndpoint, clientId, clientSecret);
     }
 
-    private JSONObject refreshAccessToken(String refreshToken, String tokenEndpoint, String clientId, String clientSecret) throws Exception
+    private ObjectNode refreshAccessToken(String refreshToken, String tokenEndpoint, String clientId, String clientSecret) throws Exception
     {
         String body = "grant_type=refresh_token"
                 + "&refresh_token=" + URLEncoder.encode(refreshToken, StandardCharsets.UTF_8);
 
         return requestToken(body, tokenEndpoint, clientId, clientSecret);
     }
 
-    private JSONObject requestToken(String requestBody, String tokenEndpoint, String clientId, String clientSecret) throws Exception
+    private ObjectNode requestToken(String requestBody, String tokenEndpoint, String clientId, String clientSecret) throws Exception
     {
         HttpURLConnection conn = getHttpURLConnection(tokenEndpoint, clientId, clientSecret);
 
@@ -215,7 +263,7 @@ private JSONObject requestToken(String requestBody, String tokenEndpoint, String
             throw new RuntimeException("Failed: " + responseCode + " - " + response);
         }
 
-        JSONObject tokenJson = new JSONObject(response);
+        ObjectNode tokenJson = objectMapper.readValue(response, ObjectNode.class);
         tokenJson.put(FETCHED_AT, System.currentTimeMillis() / 1000);
         return tokenJson;
     }

athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeMetadataHandler.java

@@ -49,13 +49,13 @@
 import com.amazonaws.athena.connector.util.PaginationHelper;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
-import com.amazonaws.athena.connectors.jdbc.connection.GenericJdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.connection.JdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.manager.JDBCUtil;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcArrowTypeConverter;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcMetadataHandler;
 import com.amazonaws.athena.connectors.jdbc.manager.PreparedStatementBuilder;
 import com.amazonaws.athena.connectors.jdbc.resolver.JDBCCaseResolver;
+import com.amazonaws.athena.connectors.snowflake.connection.SnowflakeConnectionFactory;
 import com.amazonaws.athena.connectors.snowflake.resolver.SnowflakeJDBCCaseResolver;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
@@ -154,7 +154,7 @@ public SnowflakeMetadataHandler(java.util.Map<String, String> configOptions)
     public SnowflakeMetadataHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
         this(databaseConnectionConfig,
-                new GenericJdbcConnectionFactory(databaseConnectionConfig, SnowflakeEnvironmentProperties.getSnowFlakeParameter(JDBC_PROPERTIES, configOptions),
+                new SnowflakeConnectionFactory(databaseConnectionConfig, SnowflakeEnvironmentProperties.getSnowFlakeParameter(JDBC_PROPERTIES, configOptions),
                 new DatabaseConnectionInfo(SnowflakeConstants.SNOWFLAKE_DRIVER_CLASS, SnowflakeConstants.SNOWFLAKE_DEFAULT_PORT)),
                 configOptions);
     }

athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeRecordHandler.java

@@ -26,11 +26,11 @@
 import com.amazonaws.athena.connector.lambda.exceptions.AthenaConnectorException;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionConfig;
 import com.amazonaws.athena.connectors.jdbc.connection.DatabaseConnectionInfo;
-import com.amazonaws.athena.connectors.jdbc.connection.GenericJdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.connection.JdbcConnectionFactory;
 import com.amazonaws.athena.connectors.jdbc.manager.JDBCUtil;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcRecordHandler;
 import com.amazonaws.athena.connectors.jdbc.manager.JdbcSplitQueryBuilder;
+import com.amazonaws.athena.connectors.snowflake.connection.SnowflakeConnectionFactory;
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.arrow.vector.types.pojo.Schema;
 import org.apache.commons.lang3.StringUtils;
@@ -63,10 +63,10 @@ public SnowflakeRecordHandler(java.util.Map<String, String> configOptions)
     }
     public SnowflakeRecordHandler(DatabaseConnectionConfig databaseConnectionConfig, java.util.Map<String, String> configOptions)
     {
-        this(databaseConnectionConfig, new GenericJdbcConnectionFactory(databaseConnectionConfig, SnowflakeEnvironmentProperties.getSnowFlakeParameter(JDBC_PROPERTIES, configOptions),
+        this(databaseConnectionConfig, new SnowflakeConnectionFactory(databaseConnectionConfig, SnowflakeEnvironmentProperties.getSnowFlakeParameter(JDBC_PROPERTIES, configOptions),
                 new DatabaseConnectionInfo(SnowflakeConstants.SNOWFLAKE_DRIVER_CLASS, SnowflakeConstants.SNOWFLAKE_DEFAULT_PORT)), configOptions);
     }
-    public SnowflakeRecordHandler(DatabaseConnectionConfig databaseConnectionConfig, GenericJdbcConnectionFactory jdbcConnectionFactory, java.util.Map<String, String> configOptions)
+    public SnowflakeRecordHandler(DatabaseConnectionConfig databaseConnectionConfig, SnowflakeConnectionFactory jdbcConnectionFactory, java.util.Map<String, String> configOptions)
     {
         this(databaseConnectionConfig, S3Client.create(), SecretsManagerClient.create(), AthenaClient.create(),
                 jdbcConnectionFactory, new SnowflakeQueryStringBuilder(SNOWFLAKE_QUOTE_CHARACTER, new SnowflakeFederationExpressionParser(SNOWFLAKE_QUOTE_CHARACTER)), configOptions);