Summary
This article will go over what to check for when using PrivateLink connections to Snowflake DB with Vault and running into connection errors.
Troubleshooting Steps
- First steps taken should be to confirm private connectivity as see in Snowflake documentation:
- Connecting with a URL covers how to connect to Snowflake accounts.
- AWS PrivateLink & Snowflake covers how to configure AWS PrivateLink to a Snowflake account for VPCs.
- If PrivateLink has not been properly setup or if there are connectivity issues to the PrivateLink setup, the following errors will occur when configuring the database connection with Vault:
-
vault write database/config/my-snowflake-database \ plugin_name=snowflake-database-plugin \ allowed_roles="my-role" \ connection_url=":@yza13843.us-east-1.privatelink/CIARA_DEMO" \ username="cclements" \ password="" Error writing data to database/config/my-snowflake-database: Error making API request. URL: PUT http://127.0.0.1:8200/v1/database/config/my-snowflake-database Code: 400. Errors: error creating database object: unable to parse connection url 2021-10-01T20:35:44.574-0400 [TRACE] secrets.database.database_9993568f.snowflake-database-plugin: initialize: transport=builtin status=finished verify=true err="unable to parse connection url" took=47.74069414s
The above error occurred due to improper PrivateLink configuration, preventing proper communication to the Snowflake database.
-
- Testing connectivity should be done using a TCP dump on the PrivateLink url. The URL should look similar to
dbinstanceid.region.privatelink.snowflakecomputing.com
. Additionally, you can leverage SnowCD that was built by Snowflake to diagnose and troubleshoot network connections to Snowflake. - One final thing to check is whether or not there is a proxy in between the Vault node and Snowflake. If there is a proxy, updating the Vault config to no_proxy can mitigate proxy communication issues. This can happen with internal DNS that can only be resolved while on a VPN.