Right clicking on the libraries (compare): Using USER: Using AUTHDOMAIN:   ... View more

Here is a step forward to coding the libname for SAS to Snowflake Connector using an RSA key + Passphrase.  Replace USER with AUTHDOMAIN. LIBNAME TEST SNOW SERVER="snowflakecomputing.com" DATABASE='TESTONE' WAREHOUSE='DEMO_ONE' SCHEMA='TITLE' ROLE='USER_ROLE' USER='SASUSER_01' CONOPTS="AUTHENTICATOR=SNOWFLAKE_JWT; PRIV_KEY_FILE=/LOCATION/OF/KEY/rsa_key.p8; PRIV_KEY_FILE_PWD=XXXXXXXXXXX;";   With the above code, there is no filtering on the part of the users that can run the code.  Those with SAS access can run the code and see the tables. What I have tested is to add the AUTHDOMAIN into the code and remove the USER line.  This will do three things: 1.  Filter the right users to have access to the connection.  Only those groups who are given access with the AUTHDOMAIN are able to run the code. 2.  In SAS EG, right clicking to the library use to give full information about the libname.  Now, those details are hidden including the USER ID. 3. USERID is hidden from user.  This is an important component for logging to snowflake. Without a userid, a user cannot no login even with an RSA key and a passphrase. The code that I ran is like the one below.  NO USER line and uses AUTHDOMAIN: LIBNAME TEST SNOW SERVER="snowflakecomputing.com" DATABASE='TESTONE' WAREHOUSE='DEMO_ONE' SCHEMA='TITLE' ROLE='USER_ROLE' AUTHDOMAIN='TEST_RSA_CONNECT' CONOPTS="AUTHENTICATOR=SNOWFLAKE_JWT; PRIV_KEY_FILE=/LOCATION/OF/KEY/rsa_key.p8; PRIV_KEY_FILE_PWD=XXXXXXXXXXX;"; ... View more

Thanks for this @JCabralSAS .  I have gone through the path you outlined and couldn't find a solution that would actually work.  The closest one would be to use the ODBC engine and mask the password and maybe the path to the private key file using some environmental variables.  As you mentioned there are a lot of challenges and there are other options like PAT.  user FreshStarter is also keen to find out what works best for this so I guess there are others out there facing these challenges.   ... View more

@JCabralSAS - For the first two you have suggested, the pwencode will not work because the encoded password is framed inside the conopts command (java based).  Neither will a macro variable when called inside the conopts command.   So: PRIV_KEY_FILE_PWD={SAS002}706634535C9F3B793CCCB39C4F553FA2;  <- will not be read by conopts nor PRIV_KEY_FILE_PWD=&password.;  I tried using ODBC engine and while it works, you need to chmod the permissions for the odbc.ini path for users to read the file which means that they can get to the password using a terminal and running a command such as: cat /etc/odbc.ini  and examine the odbc.ini file where the password is stored.   For the third option you suggested users having their own private key files, this will be difficult to control from a security stand point. Normally,  a username and password (snowflake account) is embedded in an authdomain and we assign AD groups to these authdomains. Similarly, if an RSA key is used, the key will be shared across an AD group else if each user has their own unique private key, these need to be mapped to the snowflake service account thru a jenkins pipeline job.  In the end, this means that one snowflake service account gets mapped to multiple service keys instead of just one. ... View more

@SASKiwi - thank you for your response.  We use authdomain to hide username and password when creating SAS to Snowflake connection but with an RSA key, it won't work because to connect to snowflake using an RSA key uses the conopts command like so:   LIBNAME TEST SNOW SERVER="snowflakecomputing.com" DATABASE='TESTONE' WAREHOUSE='DEMO_ONE' SCHEMA='TITLE' ROLE='USER_ROLE' USER='SASUSER_01' CONOPTS="AUTHENTICATOR=SNOWFLAKE_JWT; PRIV_KEY_FILE=/LOCATION/OF/KEY/rsa_key.p8; PRIV_KEY_FILE_PWD=XXXXXXXXXXX;"; Adding an authdomain to hide the username and priv_key_file like so: LIBNAME TEST SNOW SERVER="snowflakecomputing.com" DATABASE='TESTONE' WAREHOUSE='DEMO_ONE' SCHEMA='TITLE' ROLE='USER_ROLE' CONOPTS="AUTHENTICATOR=SNOWFLAKE_JWT; PRIV_KEY_FILE=/LOCATION/OF/KEY/rsa_key.p8;" AUTHDOMAIN=USER_AUTHDOMAIN; The password inside the AUTHDOMAIN does not get passed to the authenticator (snowflake_jwt).   ... View more

Hi Joe, Thanks for a very thorough set of instructions to set up the snowflake connector using ODBC and also the SNOW engines.  The challenge I am facing now is to try to hide the RSA password from my users (I am a SAS Admin).  If I use the SNOW engine and register the tables, the user can still right-click to the library in SAS Enteprise Guide and look at properties and see the libname statement for that library with the RSA key location and the password if encrypted.  If I use ODBC, the ODBC ini file becomes accessible to the user and will result in the same ending.   Is there a way of hiding the password for the RSA key and for either engines (ODBC and SNOW) to work? Many thanks. ... View more

Thanks for the info.  I got it working.  Totally informative added info for monitoring usage. ... View more

This worked fine.  But when I try to extract the data using esm-maintenance utility, I can't find the csv file 'esm-events-logevents'.  Do I need to configure a file to get this output? Thanks. ... View more

Thanks for your response Simon.  Yes I am referring to the Enviroment Dashboard in SAS Viya 3.5.  The small charts at the bottom (reports) are dependent on various system data tables that are automatically updated and populated and loaded by SAS Viya.  Sometimes, these system tables go missing and when they do, the small charts do not work anymore.  Some tables in system data folder include CAS, CAS_NODE and CAS_SYSTEM and also the AUDIT tables.  Here is the same problem: https://communities.sas.com/t5/SAS-Viya/Can-t-see-CAS-Activity-report-in-SAS-Viya/td-p/538780   Thank you for looking into this.  Might just discover a quick solution rather than having to restart the whole server.  Cheers. ... View more

Hi Simon,  When some system tables go missing for whatever reason (CAS, CAS_NODE, CAS_SYSTEM ) for example and the small charts below the Dashboard do not populate because of the missing tables, is there a manual way (running a code or set of codes) to bring missing system tables in CAS up and running?  The only way right now would be to do a full reboot of the SAS Viya system.  Thanks for any help. ... View more

Has there been no reply to this question?  The sentiment as well as the topic of the different documents in the word cloud would be nice to export for all the documents so you have the original file with the sentiment scores and topics appended to it.  How can we get this?    Cheers. ... View more