support jwt in aws wif

[sfc-gh-yuzzhang]

[Please answer these questions before submitting your pull requests. Thanks!

1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

JIRA: SNOW-2919437

Test Coverage

Unit Tests

test/unit/test_auth_workload_identity.py - covers the driver-side logic

E2E Tests

test/wif/test_wif.py::test_should_authenticate_using_aws_outbound_token - covers full authentication flow on AWS

Test Scenarios (Gherkin)

Feature: AWS WIF outbound token authentication

Scenario: SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN=true → use JWT token format
Given SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN is set to "true"
When the connector creates an AWS attestation
Then GetWebIdentityToken is called and a JWT token is returned

Scenario: SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN=false → use old presigned URL format
Given SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN is set to "false"
When the connector creates an AWS attestation
Then a presigned GetCallerIdentity request is used as the token

Scenario: SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN not set → use old presigned URL format
Given SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN is not set
When the connector creates an AWS attestation
Then a presigned GetCallerIdentity request is used as the token

Scenario: End-to-end authentication with outbound JWT token on AWS
Given SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN is set to "true"
And the application is running on AWS with an IAM role attached
When the connector connects with authenticator=WORKLOAD_IDENTITY and provider=AWS
Then the connection succeeds and CURRENT_USER() returns the expected user

VM test results:

Without issuer(v2 hint) and param enable in driver->get error

Without issuer(v2 hint) and param disable in driver->work well(current behaviour)

With issuer(v3 hint) and param disable in driver->work well(backward compatibility)

With issuer(v3 hint) and param enable in driver->success!

Security Review(in process)

https://developer-portal.m1.us-west-2.aws.app.snowflake.com/reviews/security/52fdaf58-2adc-41e2-8732-421a18204033

5. Fill out the following pre-review checklist:

   • I am adding a new automated test(s) to verify correctness of my new code
   • I am adding new logging messages
   • I am adding a new telemetry message
   • I am modifying authorization mechanisms
   • I am adding new credentials
   • I am modifying OCSP code
   • I am adding a new dependency

6. Please describe how your code solves the related issue.
   Implements JWT token validation for AWS Outbound Identity Federation.
   Previously, AWS WIF used pre-signed STS requests that GS forwarded to AWS for validation. This PR migrates to AWS's GetWebIdentityToken API, which returns a standard JWT token.

7. (Optional) PR for stored-proc connector:
   ](https://github.com/snowflakedb/snowflake-connector-python/pull/new/yuzzhang-aws-wif-driver)

Will update DESCRIPTION.md after get the expected release date
Did not change async path, because it is freeze currently: https://snowflakecomputing.atlassian.net/browse/SNOW-2905263

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[sfc-gh-yuzzhang]

I have read the CLA Document and I hereby sign the CLA

[sfc-gh-pmansour]

Thanks!

Have you had a chance to test this e2e yet, eg. on an AWS VM?

[sfc-gh-yuzzhang]

Thanks!

Have you had a chance to test this e2e yet, eg. on an AWS VM?

Thanks! I've already tested on VM, but because the GS side hasn't been merged yet, I got the error from GS: snowflake.connector.errors.DatabaseError: 250001 (08001): Failed to connect to DB: wif_tests.qa6.us-west-2.aws.snowflakecomputing.com:443. The AWS STS request was improperly encoded or was missing a required field ("url", "method", "headers").
I‘ll test again after GS side is set up, and will only merge after confirming everything works.

[sfc-gh-xizhao]

LGTM, thanks!

[sfc-gh-turbaszek]

please add appropriate change log entry to DESCRIPTION.md

[sfc-gh-yuzzhang]

please add appropriate change log entry to DESCRIPTION.md

Thanks, updated

[sfc-gh-rsavenok]

We also need to have e2e test in test/wif/test_wif.py (ask llm to explain how that e2e test is executed)

[sfc-gh-yuzzhang]

Thanks for comments! I have 2 questions to get the e2e test working:

1. The e2e test requires updating the WORKLOAD_IDENTITY configuration on TEST_WIF_E2E_AWS in sfctest0. May I know who should I reach out to for that?
2. The GS-side changes are merged but not yet rolled out to prod. Does the CI run against a prod or non-prod environment? And would the e2e test need to wait for the full GS rollout?
   Thanks!

[sfc-gh-yuzzhang]

seems TEST_WIF_E2E_AWS is a test user used in our team cc @sfc-gh-xizhao if you have any idea, thanks!

[sfc-gh-rsavenok]

Are the changes available on preprod? We could write a test there first and later switch to sfctest0

Ping @sfc-gh-akolodziejczyk on Slack to get access to the accounts we use for wif e2e tests.

e2e tests are super important, as when we worked on WIF in other drivers based on Python implementation, we had some drivers not connecting because of wrong implementation

[sfc-gh-yuzzhang]

Thanks for the suggestion. The e2e test test_should_authenticate_using_aws_outbound_token is added in test/wif/test_wif.py.

I've also manually validated the full flow on qa6 using the current branch(AWS VM) across all 4 scenarios and details are in Description section.
The CI test is currently failing because the GS param hasn't rolled out to prod yet, and TEST_WIF_E2E_AWS in sfctest0 needs some configured after GS rollout. I'll reach out to get the test account set up. The CI test will pass once GS is fully rolled out to prod and the account is configured.