Snowflake connection error: JWT token is invalid

gribboa · October 5, 2021, 3:59pm

Hi all,

Trying to setup a connection to Snowflake. The account is setup using key pair authentication, and I am trying to pass the private key file name and password in the "Additional JDBC connection string options" section as per https://docs.snowflake.com/en/user-guide/jdbc-configure.html#private-key-file-name-and-password-in-connection-string.

However I am getting the below error from Metabase:

2021-10-05 16:52:20,241 ERROR driver.util :: Database connection error
net.snowflake.client.jdbc.SnowflakeSQLException: JWT token is invalid.

The key pair authentication does work via both SnowSQL & a JDBC connection outside of Metabase.

Any thoughts appreciated!

jeff_evans · October 5, 2021, 8:15pm

What version of Metabase, and what deployment are you using? If jar file, then what JDK version? Also, please include the full connection string you have specified in Metabase, and also the equivalent from your standalone JDBC application (with sensitive info redacted).

gribboa · October 5, 2021, 8:43pm

Diagnostic info below which should answer some of your points:

{
  "browser-info": {
    "language": "en-GB",
    "platform": "Win32",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31",
    "vendor": "Google Inc."
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "1.8.0_232-8u232-b09-0ubuntu1~16.04.1-b09",
    "java.vendor": "Private Build",
    "java.vendor.url": "http://java.oracle.com/",
    "java.version": "1.8.0_232",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "25.232-b09",
    "os.name": "Linux",
    "os.version": "4.15.0-54-generic",
    "user.language": "en",
    "user.timezone": "Europe/London"
  },
  "metabase-info": {
    "databases": [
      "h2"
    ],
    "hosting-env": "unknown",
    "application-database": "h2",
    "application-database-details": {
      "database": {
        "name": "H2",
        "version": "1.4.197 (2018-03-18)"
      },
      "jdbc-driver": {
        "name": "H2 JDBC Driver",
        "version": "1.4.197 (2018-03-18)"
      }
    },
    "run-mode": "prod",
    "version": {
      "tag": "v0.40.5",
      "date": "2021-09-21",
      "branch": "release-x.40.x",
      "hash": "042a36e"
    },
    "settings": {
      "report-timezone": null
    }
  }
}

What's the best way to show you the string from Metabase? Ultimately it's just filling out the required fields in metabase (including password, which I know is not needed with key auth - could this be causing an issue?), plus this bit in the "Additional JDBC connection string options":

&useProxy=true&proxyHost=MY_PROXY_IP&proxyPort=443&private_key_file=PATH_TO_PRIVATE_KEY.p8&private_key_file_pwd=PRIVATE_KEY_PWD

I'm certain it results in the same as the standalone JDBC, which looks like this:

"jdbc:snowflake://account.region.snowflakecomputing.com/?db=MY_DATABASE&schema=MY_SCHEMA&warehouse=MY_WAREHOUSE&role=MY_ROLE&useProxy=true&proxyHost=MY_PROXY_IP&proxyPort=443&private_key_file=PATH_TO_PRIVATE_KEY.p8&private_key_file_pwd=PRIVATE_KEY_PWD"

gribboa · October 10, 2021, 8:47pm

Bump

flamber · October 11, 2021, 9:01am

@gribboa Try upgrading to latest Java 11: https://www.metabase.com/docs/latest/operations-guide/java-versions.html

I'm not sure if it would help, or if it requires Metabase to support a key-based authentication (something similar to what is possible with MongoDB, by exposing the full connection string).