Authentication token has expired for Snowflake Configuration Account

Avatar
Robert Highley
  • Updated

Introduction

This article addresses authentication token expiration errors when using the Vault Snowflake Database Secrets Engine with key pair authentication.

Problem

Users receive an Error 500 from Vault when attempting to create Snowflake credentials using configured roles. The underlying error from Snowflake is:

 
390114: Authentication token has expired. The user must authenticate again.

Prerequisites

  • HashiCorp Vault with the Snowflake Database Secrets Engine configured
  • Snowflake key pair authentication enabled
  • snowflake-database-plugin in use

Cause

The JWT token used for Snowflake key pair authentication has a maximum lifetime of one hour. The error occurs when:

  1. Vault generates a JWT token using the configured private key
  2. Vault authenticates with Snowflake and establishes a connection
  3. After approximately one hour, the JWT token expires
  4. Vault attempts to reuse the expired token for a new database operation
  5. Snowflake rejects the request with error 390114
  6. Vault surfaces this as an Error 500 to the requesting application

This is a Snowflake authentication limitation, not a Vault internal error. Vault passes through Snowflake's error response when the JWT token expires.

Solution

Configure connection pooling parameters to ensure connections are recycled before the JWT token expires:

 
vault write db_snowflake/config/snowflake \
    plugin_name=snowflake-database-plugin \
    allowed_roles="<your_roles>" \
    connection_url="<your_snowflake_url>" \
    username="<your_vault_user>" \
    private_key=@vault_user.pem \
    max_open_connections=20 \
    max_connection_lifetime=3600s \
    max_idle_connections=0
Parameter Value Purpose
max_open_connections 20 Maintains a pool of available connections
max_connection_lifetime 3600s Forces connection refresh before JWT expiration
max_idle_connections 0 Prevents stale idle connections from accumulating

Outcome

After applying the configuration, Vault should automatically recycle database connections before the JWT token expires, eliminating the need for manual intervention or secrets engine reconfiguration.

To verify the fix is working, monitor for the 390114 error over a period exceeding one hour of operation. If errors persist, consider reducing max_connection_lifetime to a value below 3600s (e.g., 3000s) to provide additional buffer before token expiration.

Additional Information

Articles in this section

See more