Snowflake Secret Engine roation_period issue

[kamalesh0002]

I have integrated the Snowflake Secret Engine with HashiCorp Vault using a static role and key pair authentication. Vault is able to rotate the public key and generate the private key without any issues.

However, the issue arises with the rotation_period configuration.

In Snowflake, the master token session is valid for 4 hours. When the rotation_period is set to less than or equal to 4 hours, key rotation works as expected. But when it is set to greater than 4 hours, Vault fails to rotate the key.

This appears to be a limitation from Snowflake, where the master token expires after 4 hours. To perform rotation after the token expires, Vault would need to re-authenticate. However, it currently does not, resulting in failed rotations.

Steps to Reproduce:
Integrate Snowflake with HashiCorp Vault:

1. Enable the Snowflake secret engine.
2. Configure connection using key pair authentication.
   3.Create a static role.
3. Configure Role with Rotation:

Example role configuration:

vault write snowflake/roles/my-role
db_name=my-snowflake-db
rotation_statements='ALTER USER "{{name}}" SET RSA_PUBLIC_KEY="{{public_key}}";'
rotation_period=5h

Note: Ensure the rotation period is set greater than 4 hours.

Observe Rotation:
Initially the rotation might appear to work (before token expiry).
After 4 hours (token expiry), Vault attempts rotation again but fails silently or with errors (depending on logging level).

Reduce Rotation Period to 3h:
Reconfigure the role with rotation_period=3h.
Observe that the rotation now works consistently, confirming the issue is due to token session timeout.

Expected Behavior:
Vault should be able to re-authenticate before performing rotation after the token expires, or provide an appropriate warning/error indicating the issue.

Actual Behavior:
Rotation silently fails when rotation_period is greater than Snowflake’s 4-hour token expiration limit. Vault does not re-authenticate or retry with a new session.

Environment Details:
Snowflake Secret Engine Version: builtin
Authentication Method: Key Pair Authentication
Role Type: Static

[fairclothjm]

I believe this is the same underlying issue as reported in #124. Please see the workaround detailed here: #124 (comment). Please let us know if that does not address the issue.