Manage Snowflake on Azure local account passwords with CyberArk CPM rotations

I figured I would write about how to manage Snowflake on Azure account passwords since there currently is no official plugin in the CyberArk Marketplace.

Please try these items in your QA lab (and QA Snowflake Azure account(s)) before deploying to production. I’m not responsible for your own actions, including performing these in your company or your own environment.

Prerequisites —

  • CyberArk Oracle Out of the Box plugin.
    - If you don’t have one listed you can download and import this plugin — https://cyberark-customers.force.com/mplace/s/#a3550000000EiBwAAK-a3950000000jjUWAAY
  • Snowflake Azure ODBC driver (32-bit). https://docs.snowflake.com/en/user-guide/odbc-windows.html
  • RDP access to your CPM server(s)
  • Snowflake Azure company instance DNS name — for example, companyname.snowflakecomputing.com . Including any other database details that support team can provide.
  • Snowflake Azure support team’s admin access to assist with configuring required items.
  • Admin access to your PVWA site
  • CyberArk service account for reconcile account use.
  • Domain service account managed by a windows domain platform policy for rotations.
  • Target Snowflake local accounts to rotate.
  • CPM server(s) allowed to utilize port 443 to your target Snowflake Azure environment.

Off we go —

  1. Log into your PVWA site as an administrator.
  2. Navigate to your platforms — Admin>Platform Management.
  3. Click on the Out of the box Oracle database platform.
  4. Click duplicate. Name the new platform. Follow your company’s naming scheme, or use something like <Company Name> Azure Snowflake for the platform name.
  5. Click Save & Close.
  6. Click on the Newly created platform name — <Company Name> Azure Snowflake. Click edit.
  7. Under Additional Policy Settings, adjust all of these items. Click Save after completed.
    ChangeCommand — ALTER USER %USER% Set Password=’%NEWPASSWORD%’
    ReconcileCommand — ALTER USER %USER% Set Password=’%NEWPASSWORD%’
    ConnectionCommand — Provider={SnowflakeDSIIDriver32};uid=%USER%;pwd=%LOGONPASSWORD%;server=%ADDRESS%
    DSN- SnowflakeDSIIDriver32
    ChangePasswordInResetMode — Yes
    CommandForbiddenCharacters —’\/@”.’{}() -|*>~!^#
    CommandBlackList — delete, drop, exec, create, rename, truncate, comment, select, insert, update, merge, call, explain, lock, grant, revoke
    MinValidityPeriod — -1
  8. Under Password Complexity, adjust these items as required. Click Save after completed.
    PasswordLength — 25
    PWforbiddenChars — ‘/\@”’`.(){}-|*^~!#
  9. Adjust any other platform items you require. Click Save after completed.
  10. Now RDP into your assigned CPM server for configuring this plugin’s use.
  11. Copy over the Snowflake in Azure ODBC driver (32 or 64 depending on your needs). Install and configure the ODBC driver under SYSTEM DSN. Follow their documentation here —
    https://docs.snowflake.com/en/user-guide/odbc-windows.html .
    The ODBC name you use must match the DSN name you entered above on the platform. For example, SnowflakeDSIIDriver32 for the 32 bit driver. I’ll note that only the 32 bit driver worked for me, not the 64 bit one.
  12. Log out of the CPM server.
  13. Work with your Snowflake team to adjust configurations in the Snowflake Azure environment. Ideally QA environment first, then deploy the same configs in Snowflake Prod.
    - Create a role to manage service account password rotations (like Service_Account_Admin)
    - Assign the role to global privilege CREATE USER
    - Transfer ownership of all service accounts to the SERVICE_ACCOUNT_ADMIN role.
    - Create a service account (Snowflake AD user — CYBERARK_SERVICE_ACCOUNT) that will be used by CyberArk CPM to authenticate to Snowflake and update passwords on behalf of the service accounts.
    - Assign the SERVICE_ACCOUNT_ADMIN role to the CYBERARK_SERVICE_ACCOUNT user.
    - (Optional) — Assign the SERVICE_ACCOUNT_ADMIN role to any other roles or users that may require the ability to rotate passwords or alter service account users (for example, ACCOUNTADMIN).
    - Review Snowflake documentation around the various items here — https://docs.snowflake.com/en/user-guide/security-access-control.html
  14. Pull your PVWA site back up. Add your Snowflake Azure local accounts. Associate the CYBERARK_SERVICE_ACCOUNT user account (domain svc account) as Logon and Reconcile account for all.
    - Device Type — Database
    - Platform name — <Company Name> Azure Snowflake
    - Safe name — AZURE_SNOWFLAKE
  15. Assuming your domain service account (CYBERARK_SERVICE_ACCOUNT) password is set for use, kick off a password reconciliation for your target Snowflake Azure local accounts.
  16. Done. Victory dance!
Victory Dance — Psy Horse Dance

Additional items to think about —

  1. Currently no official Snowflake + CyberArk plugin integrations exist. Reach out to your CyberArk account rep to request that they provide ones that are officially supported.
  2. Snowflake’s UI does not have an official UI configuration to enable AAM (CCP/AIM) API use. Reach out to your Snowflake account rep to request that they provide an ability to officially support integrating with CyberArk without any customization needed by your company.
  3. How often will you have the reconcile domain service account rotate — daily?
  4. For any issues you come across, work with your Snowflake in Azure team to assist with their side of the configurations required.
  5. If you require prod vs non-prod account separation, create 2 snowflake safes using your naming scheme.

Looking for a partner in your Privileged Access Management rollout?

Check out my site here — https://www.keyvaultsolutions.com/pages/contact-us

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.