0

I've installed the Snowsql CLI tool (v1.2.16) and tried connecting to Snowflake using a command similar to snowsql -a <account details> -user datamonk3y@domain.com --authenticator externalbrowser.

For myself, and a few other colleagues, a pop up window appears which will allow us to authenticate. Unfortunately this isn't the case for some of my other colleagues...

I've not found anything obvious, but the authentication browser window simply isn't popping up for some users (Around half of us), therefore the connection is aborting after time out.

We're all using AWS workspaces with the same version of windows, same version of chrome and the same version of Snowsql. There's nothing I can see in the chrome settings that could be causing this. I'm also able to change the default browser to Firefox and I still authenticate fine.

Logging into the UI works for everyone too...

The logs don't really give much away, the failed attempts get a Failed to check OSCP response cache file message, but I think this is because the authentication isn't initiated with the server. When I check my local machine (C:/Users/<datamonk3y>/AppData/Local/Snowflake/Caches/) I see a ocsp_response_cache.json file, but this isn't there for my colleagues who aren't able to log in.

As @SrinathMenon has mentioned in the comments below, adding -o insecure_mode=True to the login command will bypass this issue, but does anyone have any thoughts as to what could be causing this?

Thanks

datamonk3y
  • 124
  • 1
  • 4
  • You can try setting Chrome as the default browser. Details: https://support.google.com/chrome/answer/95417?hl=en-GB&co=GENIE.Platform%3DDesktop – FKayani Jul 28 '21 at 12:41
  • Thanks @FKayani, we all have Chrome set as default as far as I know, personally I'm able to swap between the browsers I've got installed and the authentication popup still appears fine – datamonk3y Jul 28 '21 at 14:52
  • Sounds similar to the issue mentioned here : https://stackoverflow.com/questions/68021805/why-isnt-snowsql-opening-an-external-browser – Srinath Menon Jul 29 '21 at 01:17
  • Do your colleagues have a proxy set on their environment? – Sergiu Jul 29 '21 at 12:50
  • @SrinathMenon yes you're right, it's similar though relates to linux, I actually commented on that a month or so ago but still haven't managed to resolve – datamonk3y Aug 02 '21 at 09:46
  • @Sergiu I believe the proxys are currently turned off, but thanks for the suggestion – datamonk3y Aug 02 '21 at 10:01
  • 1
    @datamonk3y : Can you try by using the turning off OCSP : snowsql -a ACCOUNT -u USER -o insecure_mode=True – Srinath Menon Aug 03 '21 at 03:34
  • @SrinathMenon, this has worked! Thanks very much! Have you any thoughts as to why this is needed for some of us? We're using AD authentication, and I’ve been unable to find the `ocsp_response_cache.json` file for the users who were unable to log in (I found it in `C:/Users/datamonk3y/AppData/Local/Snowflake/Caches/`) – datamonk3y Aug 03 '21 at 09:30

2 Answers2

2

Try by using the turning off OCSP :

snowsql -a ACCOUNT -u USER -o insecure_mode=True

The only root cause I see this issue happening is when the request is not able to reach the OCSP URL and that is failing. Adding the debug flag in snowsql would give more details / information. Use this to collect the debug logs:

 snowsql -a <account details> -user datamonk3y@domain.com --authenticator externalbrowser -o log_level=debug -o log_file=<path>
Srinath Menon
  • 1,479
  • 8
  • 11
-1

In my case, what worked was including the region in account name. So instead of -a abc1234, you would do something like -a abc1234.us-east-1.

https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#format-2-legacy-account-locator-in-a-region explains this a little, but basically you use the first part of the web console URL, eg: https://abc1234.us-east-1.snowflakecomputing.com/ (this only works with classic console)

Dommondke
  • 307
  • 1
  • 8