Merge pull request #18 from sdf-labs/add_snowflake_key_pair_auth_test

added key pair auth test

.github/workflows/examples.yml

@@ -80,14 +80,14 @@ jobs:
           echo "${{ steps.sdf.outputs.log }}" >>$GITHUB_STEP_SUMMARY
           echo '```' >>$GITHUB_STEP_SUMMARY
 
-  snowflake:
+  snowflake_password:
     container:
       image: ghcr.io/dbt-labs/dbt-snowflake:1.8.latest
       volumes:
         - ${{ github.workspace }}:/repo
 
     runs-on: ubuntu-latest
-    name: Snowflake workspace
+    name: Snowflake workspace with password auth
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -116,3 +116,40 @@ jobs:
           echo '```' >>$GITHUB_STEP_SUMMARY
           echo "${{ steps.sdf.outputs.log }}" >>$GITHUB_STEP_SUMMARY
           echo '```' >>$GITHUB_STEP_SUMMARY
+
+  snowflake_key_pair:
+    container:
+      image: ghcr.io/dbt-labs/dbt-snowflake:1.5.latest
+      volumes:
+        - ${{ github.workspace }}:/repo
+
+    runs-on: ubuntu-latest
+    name: Snowflake workspace with key pair auth
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run sdf push
+        uses: ./ # Uses an action in the root directory
+        id: sdf
+        with:
+          # TODO: FIX compile failed
+          command: 'sdf push'
+          # relative path to ${{ github.workspace }} which is automatically mounted by GitHub Actions
+          workspace_dir: workspace/snowflake
+          access_key: ${{ secrets.ACCESS_KEY }}
+          secret_key: ${{ secrets.SECRET_KEY }}
+
+          snowflake_account_id: ${{ secrets.SNOWFLAKE_ACCOUNT_ID }}
+          snowflake_username: ${{ secrets.SNOWFLAKE_USERNAME }}
+          snowflake_private_key_pem: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_PEM }}
+          snowflake_role: 'dbt_test_role'
+          snowflake_warehouse: 'dbt_dev_wh'
+
+      # Use the output from the `sdf` step
+      - name: Display the sdf output
+        run: |
+          echo "### SDF Run Logs 🪵" >> $GITHUB_STEP_SUMMARY
+          echo '```' >>$GITHUB_STEP_SUMMARY
+          echo "${{ steps.sdf.outputs.log }}" >>$GITHUB_STEP_SUMMARY
+          echo '```' >>$GITHUB_STEP_SUMMARY

README.md

@@ -63,6 +63,7 @@ Check out this [example workflow](./.github/workflows/examples.yml) to see how t
     snowflake_private_key_path: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_PATH }}  # Path to key file
     # OR
     snowflake_private_key_pem: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_PEM }}    # Direct PEM content
+    #If you use private_key_pem paste the pem directly into github secrets as is with delimeters and new lines preserved.
 
     # Optional for key-pair authentication:
     snowflake_private_key_passphrase: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_PASSPHRASE }}

entrypoint.sh

@@ -114,18 +114,18 @@ if [ -n "${SNOWFLAKE_ACCOUNT_ID}" ]; then
   if [ -n "${SNOWFLAKE_PASSWORD}" ]; then
     # Password-based authentication
     auth_command+=" --password \"${SNOWFLAKE_PASSWORD}\""
-  elif [ -n "${SNOWFLAKE_PRIVATE_KEY_PATH}" ] || [ -n "${SNOWFLAKE_PRIVATE_KEY}" ]; then
+  elif [ -n "${SNOWFLAKE_PRIVATE_KEY_PATH}" ] || [ -n "${SNOWFLAKE_PRIVATE_KEY_PEM}" ]; then
     # Key-based authentication
     if [ -n "${SNOWFLAKE_PRIVATE_KEY_PATH}" ]; then
       auth_command+=" --private-key-path \"${SNOWFLAKE_PRIVATE_KEY_PATH}\""
     else
-      auth_command+=" --private-key \"${SNOWFLAKE_PRIVATE_KEY}\""
+      SNOWFLAKE_PRIVATE_KEY_FILE=$(mktemp)
+      chmod 600 "$SNOWFLAKE_PRIVATE_KEY_FILE"
+      echo "$SNOWFLAKE_PRIVATE_KEY_PEM" > "$SNOWFLAKE_PRIVATE_KEY_FILE"
+      auth_command+=" --private-key-path \"${SNOWFLAKE_PRIVATE_KEY_FILE}\""
     fi
-
     # Add passphrase if provided
-    if [ -n "${SNOWFLAKE_PRIVATE_KEY_PASSPHRASE}" ]; then
-      auth_command+=" --private-key-passphrase \"${SNOWFLAKE_PRIVATE_KEY_PASSPHRASE}\""
-    fi
+    auth_command+=" --private-key-passphrase \"${SNOWFLAKE_PRIVATE_KEY_PASSPHRASE}\""
   else
     echo "Error: No authentication method provided for Snowflake. Please provide either password, private key path, or private key content."
     exit 1
@@ -135,7 +135,7 @@ if [ -n "${SNOWFLAKE_ACCOUNT_ID}" ]; then
   [ -n "${SNOWFLAKE_ROLE}" ] && auth_command+=" --role \"${SNOWFLAKE_ROLE}\""
   [ -n "${SNOWFLAKE_WAREHOUSE}" ] && auth_command+=" --warehouse \"${SNOWFLAKE_WAREHOUSE}\""
 
-  eval $auth_command
+  eval "$auth_command"
   check_exit_status $? ""
 fi
 
@@ -162,14 +162,24 @@ if [ -n "${BIGQUERY_PROJECT_ID}" ] || [ -n "${BIGQUERY_CREDENTIALS_JSON_PATH}" ]
       echo "Error: For BigQuery individual credentials authentication, all of these are required: project_id, client_email, and private_key"
       exit 1
     fi
-    auth_command+=" --project-id \"${BIGQUERY_PROJECT_ID}\" --client-email \"${BIGQUERY_CLIENT_EMAIL}\" --private-key \"${BIGQUERY_PRIVATE_KEY}\""
+    # Create a temporary JSON file with credentials
+    BIGQUERY_CREDENTIALS_JSON_FILE=$(mktemp)
+    chmod 600 "$BIGQUERY_CREDENTIALS_JSON_FILE"
+    cat <<EOF > "$BIGQUERY_CREDENTIALS_JSON_FILE"
+{
+  "project_id": "${BIGQUERY_PROJECT_ID}",
+  "client_email": "${BIGQUERY_CLIENT_EMAIL}",
+  "private_key": "${BIGQUERY_PRIVATE_KEY}"
+}
+EOF
+    auth_command+=" --json-path \"${BIGQUERY_CREDENTIALS_JSON_FILE}\""
   fi
 
   eval $auth_command
   check_exit_status $? ""
 fi
 
-# run and save outputs
+# Run and save outputs
 echo "running command: $input_command"
 log=$($input_command 2>&1)
 exit_status=$?
@@ -180,5 +190,18 @@ check_exit_status $exit_status "$log"
   echo 'log<<EOF'
   echo "$log"
   echo EOF
-} >>$GITHUB_OUTPUT
-echo "result=passed" >>$GITHUB_OUTPUT
+} >> $GITHUB_OUTPUT
+echo "result=passed" >> $GITHUB_OUTPUT
+
+# Define cleanup function
+cleanup() {
+  if [ -n "$SNOWFLAKE_PRIVATE_KEY_FILE" ]; then
+    rm -f "$SNOWFLAKE_PRIVATE_KEY_FILE"
+  fi
+  if [ -n "$BIGQUERY_CREDENTIALS_JSON_FILE" ]; then
+    rm -f "$BIGQUERY_CREDENTIALS_JSON_FILE"
+  fi
+}
+
+# Set trap to call cleanup on script exit
+trap cleanup EXIT