snowflake-sdk
Version:
Node.js driver for Snowflake
398 lines (397 loc) • 15.8 kB
TypeScript
import { WorkloadIdentityProviderKey } from '../authentication/auth_workload_identity/types';
import { CRLValidatorConfig } from '../agent/crl_validator';
/**
* Work In Progress typing for ConnectionOptions
*
* TODO:
* - revisit doc of every option
* - if an options works only when another option is set - document it
*/
export interface WIP_ConnectionOptions {
/**
* Your account identifier.
*/
account?: string;
/**
* Specifies a fully-qualified endpoint for connecting to Snowflake.
*/
accessUrl?: string;
/**
* @deprecated
* Append a region or any sub domains before snowflakecomputing.com to the
* end of account parameter after a dot, e.g., account=<account>.<region>.
*/
region?: string;
/**
* The login name for your Snowflake user or your Identity Provider (e.g. your login name for Okta).
*/
username?: string;
/**
* Password for the user.
*/
password?: string;
/**
* Host address to which the driver should connect.
*/
host?: string;
/**
* The default virtual warehouse to use for the session after connecting. Used for performing queries, loading data, etc.
*/
warehouse?: string;
/**
* The default database to use for the session after connecting.
*/
database?: string;
/**
* The default schema to use for the session after connecting.
*/
schema?: string;
/**
* The default security role to use for the session after connecting.
*/
role?: string;
/**
* Specifies the authenticator to use for verifying user login credentials.
*
* Available options:
* * `SNOWFLAKE` - Default authenticator that uses basic username/password authentication
* * `EXTERNALBROWSER` - Browser-based SSO authentication through your identity provider
* * `SNOWFLAKE_JWT` - Key pair authentication using a private key and public key pair
* * `OAUTH` - OAuth authentication using a token obtained from OAuth flow
* * `USERNAME_PASSWORD_MFA` - Username/password with multi-factor authentication
* * `PROGRAMMATIC_ACCESS_TOKEN` - Using a programmatic access token set in ConnectionOptions.token or ConnectionOptions.password
* * `OAUTH_AUTHORIZATION_CODE` - OAuth authorization code flow for web applications
* * `OAUTH_CLIENT_CREDENTIALS` - OAuth client credentials flow for service-to-service auth
* * `WORKLOAD_IDENTITY` - Workload identity authentication
* * `https://<okta_account_name>.okta.com` - Native SSO authentication through Okta
*/
authenticator?: string;
/**
* By default, client connections typically time out approximately 3-4 hours after the most recent query was executed.
*/
clientSessionKeepAlive?: boolean;
/**
* Sets the frequency (interval in seconds) between heartbeat messages.
*/
clientSessionKeepAliveHeartbeatFrequency?: number;
/**
* When true, the session is not destroyed on the server side when the connection
* is closed. This allows async queries to continue running after disconnect.
* Any unfinished queries will continue to live in Snowflake and consume credits
* until they finish.
*
* @default false
*/
serverSessionKeepAlive?: boolean;
/**
* Enable MFA/SSO token caching.
*
* https://docs.snowflake.com/en/developer-guide/node-js/nodejs-driver-authenticate#authentication-token-caching
*
* @default false
*/
clientStoreTemporaryCredential?: boolean;
/**
* When clientStoreTemporaryCredential=true, sets the directory where cached authentication
* tokens are stored.
*
* If not set, the driver resolves the cache directory by checking, in order:
* 1. The `SF_TEMPORARY_CREDENTIAL_CACHE_DIR` environment variable
* 2. Platform-specific defaults:
* - **Windows**: `<home>/AppData/Local/Snowflake/Caches`
* - **Linux**: `$XDG_CACHE_HOME/snowflake`, or `~/.cache/snowflake`
* - **macOS**: `~/Library/Caches/Snowflake`
*/
credentialCacheDir?: string;
/**
* Specifies the token to use for authentication. Set this option if you set the authenticator option to
* * OAUTH
* * PROGRAMMATIC_ACCESS_TOKEN
* * WORKLOAD_IDENTITY
*/
token?: string;
/**
* Specifies the path to a file containing the token for authentication.
*
* This option works similarly to the `token` property, but retrieves the token value by reading the specified file from disk.
*
* If `token` is not provided, the driver will attempt to read the token from this file for suitable token-based authenticators.
*
* If both `token` and `tokenFilePath` are set, `token` takes precedence and this file path will be ignored.
*/
tokenFilePath?: string;
/**
* Enable single use refresh tokens for OAuth
*/
oauthEnableSingleUseRefreshTokens?: boolean;
/**
* Value of `client id` provided by the identity provider for Snowflake integration (Snowflake security integration metadata).
*/
oauthClientId?: string;
/**
* Value of the `client secret` provided by the identity provider for Snowflake integration (Snowflake security integration metadata).
*/
oauthClientSecret?: string;
/**
* Identity provider endpoint supplying the authorization code to the driver.
* When Snowflake is used as an identity provider, this value is derived from the `server` or `account` parameters.
*/
oauthAuthorizationUrl?: string;
/**
* Identity Provider endpoint supplying the access tokens to the driver.
* When using Snowflake as an Identity Provider, this value is derived from the `server` or `account` parameters.
*/
oauthTokenRequestUrl?: string;
/**
* Scope requested in the Identity Provider authorization request.
* By default, it is derived from the role.
* When multiple scopes are required, the value should be a space-separated list of multiple scopes.
*/
oauthScope?: string;
/**
* When authenticator=OAUTH_AUTHORIZATION_CODE, customize the URI for authorization code redirection.
*
* @default "http://127.0.0.1:{randomAvailablePort}"
*/
oauthRedirectUri?: string;
/**
* @deprecated
* FOR TESTING ONLY. Allows to use insecure http requests.
*/
oauthHttpAllowed?: boolean;
/**
* When authenticator=OAUTH_AUTHORIZATION_CODE, customize the code challenge method
*/
oauthChallengeMethod?: string;
/**
* The option to enable the MFA token.
* @default false
*/
clientRequestMFAToken?: boolean;
/**
* The option to skip the SAML URL check in the Okta authentication
*
* @default false
*/
disableSamlURLCheck?: boolean;
/**
* When authenticator=SNOWFLAKE_JWT, specifies the private key (in PEM format).
*
* If the key is encrypted, use {@link privateKeyPass} to provide the passphrase.
*/
privateKey?: string;
/**
* When authenticator=SNOWFLAKE_JWT, specifies the local path to the private key file (in PEM
* format).
*
* If the key is encrypted, use {@link privateKeyPass} to provide the passphrase.
*/
privateKeyPath?: string;
/**
* When authenticator=SNOWFLAKE_JWT, specifies the passcode to decrypt the encrypted private key
* passed in {@link privateKey} or {@link privateKeyPath}.
*/
privateKeyPass?: string;
/**
* Specifies the timeout, in milliseconds, for browser activities related to MFA/SSO authentication.
*
* @default 120000 (milliseconds)
*/
browserActionTimeout?: number;
/**
* When authenticator=EXTERNALBROWSER, customize the port of
* the local server that receives the authentication callback.
*
* The server always redirects to `http://localhost:${browserRedirectPort}`.
*
* For OAUTH_AUTHORIZATION_CODE, use {@link oauthRedirectUri}
* instead, which supports customizing both host and port.
*
* @default 0 (random available port)
*/
browserRedirectPort?: number;
/**
* Lets you customize the web page a user sees in their browser after they
* finish signing in, instead of the default confirmation message. Use it to
* show your own branding, wording, or a "you can close this tab" page.
*
* Supported when authenticator is set to:
* * EXTERNALBROWSER
* * OAUTH_AUTHORIZATION_CODE
*
* Return the full HTML page to display. On success, `error` is `null`.
* If sign-in failed, `error` contains the message from your identity provider
* (already HTML-escaped, so it is safe to embed directly).
*
* @example
* browserResponseRenderer: ({ error }) => {
* const message = error
* ? `<h1>Login failed</h1><p>${error}</p>`
* : '<h1>All set! You can close this tab.</h1>';
* return `<html><body>${message}</body></html>`;
* }
*/
browserResponseRenderer?: (result: {
error: string | null;
}) => string;
/**
* Specifies a custom callback for opening the browser window during authentication.
* Supported when the authenticator is set to:
* * EXTERNALBROWSER
* * OAUTH_AUTHORIZATION_CODE
*
* By default, the npm `open` package is used.
*/
openExternalBrowserCallback?: (url: string) => void;
/**
* When authenticator=WORKLOAD_IDENTITY, specifies the identity provider. Available options:
* * AWS - Uses `@aws-sdk` to find credentials. Supports two attestation methods:
* * `GetCallerIdentity` (default) - encodes a SigV4-signed `GetCallerIdentity` request as the token
* * `GetWebIdentityToken` - obtains a signed JWT token, enabled via {@link workloadIdentityAwsUseOutboundToken}
* * AZURE - Uses `@azure/identity` to find credentials and get JWT token
* * GCP - Uses `google-auth-library` to find credentials and get JWT token
* * OIDC - Reads JWT token from `ConnectionOptions.token`
*/
workloadIdentityProvider?: WorkloadIdentityProviderKey;
/**
* When authenticator=WORKLOAD_IDENTITY, specifies a chain of service accounts for transitive impersonation.
* Each element represents a service account to impersonate in sequence, allowing workloads to authenticate
* as a different identity than their default attached service account.
*
* Supported for AWS and GCP.
*/
workloadIdentityImpersonationPath?: string[];
/**
* When workloadIdentityProvider=AZURE, customize Azure Entra Id Resource
*/
workloadIdentityAzureEntraIdResource?: string;
/**
* When workloadIdentityProvider=AZURE, customize Azure Managed Identity Client Id
*/
workloadIdentityAzureClientId?: string;
/**
* When workloadIdentityProvider=AWS, selects the AWS attestation method.
*
* AWS WIF supports two methods:
* * `GetCallerIdentity` (default, `false`) - the connector encodes a SigV4-signed
* `GetCallerIdentity` request as the attestation token.
* * `GetWebIdentityToken` (`true`) - the connector calls STS `GetWebIdentityToken` and
* forwards a standards-based JWT instead. This provides stateless token verification and
* compatibility with AWS outbound identity federation. It requires the AWS IAM role to have
* `sts:GetWebIdentityToken` permission and the Snowflake service user to be configured with an
* `ISSUER`.
*
* The `GetWebIdentityToken` method is recommended and may become the default in a future release.
*
* See {@link https://docs.snowflake.com/en/user-guide/workload-identity-federation#label-wif-aws-upgrade-jwt}
* for setup instructions, including the Node.js connector configuration.
*
* @default false
*/
workloadIdentityAwsUseOutboundToken?: boolean;
/**
* Enables Certificate Revocation List (CRL) validation.
*
* When `ENABLED` is set, it fails if the certificate is revoked or if any error occurs (network, parsing, etc.).
* When `ADVISORY` is set, it fails only if the certificate is revoked.
*
* @default "DISABLED"
*/
certRevocationCheckMode?: CRLValidatorConfig['checkMode'];
/**
* Allows to connect when certificate doesn't have CRL URLs (cRLDistributionPoints)
*
* This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED`
*
* @default false
*/
crlAllowCertificatesWithoutCrlURL?: CRLValidatorConfig['allowCertificatesWithoutCrlURL'];
/**
* Enable CRL caching in memory.
*
* This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED`
*
* @default true
*/
crlInMemoryCache?: CRLValidatorConfig['inMemoryCache'];
/**
* Enable CRL caching on disk. Disk read/write failures are ignored.
*
* This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED`
*
* @default true
*/
crlOnDiskCache?: CRLValidatorConfig['onDiskCache'];
/**
* Controls how many rows are buffered by the stream returned from
* `statement.streamRows()`. Passed as the `highWaterMark` to the
* underlying Node.js Readable class.
*
* @default 10
*/
rowStreamHighWaterMark?: number;
/**
* Specifies the name of the client application connecting to Snowflake.
*/
application?: string;
/**
* Turn on the validation function which checks whether all the connection configuration from users are valid or not.
*
* @default false
*/
validateDefaultParameters?: boolean;
/**
* Specifies a list of hosts that the driver should connect to directly, bypassing the proxy server.
*
* - Use a pipe symbol (`|`) to separate multiple hosts.
* - Use `*` as a wildcard (e.g., `*sub.amazonaws.com`).
* - A leading dot (e.g., `.amazonaws.com`) matches any subdomain.
*
* @example
* noProxy: ".amazonaws.com|*sub.my_company.com"
*/
noProxy?: string;
/**
* Specifies the hostname of an authenticated proxy server.
*/
proxyHost?: string;
/**
* Specifies the username used to connect to an authenticated proxy server.
*/
proxyUser?: string;
/**
* Specifies the password for the user specified by proxyUser.
*/
proxyPassword?: string;
/**
* Specifies the port of an authenticated proxy server.
*/
proxyPort?: number;
/**
* Specifies the protocol (`http` or `https`) used to connect to the proxy server.
*/
proxyProtocol?: string;
/**
* Optional string that can be used to tag queries and other SQL statements executed within a connection.
* The tags are displayed in the output of the QUERY_HISTORY , QUERY_HISTORY_BY_* functions.
*/
queryTag?: string;
}
/**
* Work In Progress typing for ConnectionConfig instance
*/
export type WIP_ConnectionConfig = Pick<WIP_ConnectionOptions, 'token' | 'workloadIdentityProvider' | 'workloadIdentityImpersonationPath' | 'workloadIdentityAzureEntraIdResource' | 'workloadIdentityAzureClientId' | 'workloadIdentityAwsUseOutboundToken' | 'oauthEnableSingleUseRefreshTokens' | 'rowStreamHighWaterMark'> & {
browserRedirectPort: number;
crlValidatorConfig: CRLValidatorConfig;
getClientType(): string;
getClientVersion(): string;
getClientApplication(): string;
getOauthHttpAllowed(): boolean;
getOauthClientId(): string;
getOauthClientSecret(): string;
getProxy(): {
[key: string]: any;
};
agentCache: Map<string, any>;
destroyAgentCache(): void;
};