Troubleshooting

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Core Connector Core connectors are included with all Alation platform tiers (subject to each tier’s connector limits) and are fully supported by Alation.

Refer to Troubleshoot OCF Connectors.

Refer to the following scenarios for help in troubleshooting common issues.

Database Access Error for External Tables

Problem

The following error message appears in the metadata extraction log while fetching external tables:

Database <database_name> does not exist or is not authorized.

Cause

Lack of neccessary permission to access information schema for external tables.

Solution

Execute the following command for the Snowflake database to provide access to the information schema for external tables:

GRANT USAGE ON DATABASE <database_name> TO <alation_role>;

GRANT USAGE ON ALL SCHEMAS IN DATABASE <database_name> TO ROLE <alation_role>;

GRANT REFERENCES ON ALL EXTERNAL TABLES in DATABASE <database_name> to ROLE <alation_role>;

MDE Displays the “Failed to parse data location” Warning

Metadata extraction (MDE) on a Snowflake data source shows a warning message about data location parsing.

Problem

During the extraction process, you notice the following warning message: Failed to parse data location: %s. However, it does not prevent metadata extraction from completing successfully. All other table metadata is extracted normally.

The warning appears in the following locations:

• The MDE job run reports on the Metadata Extraction > Job History tab

• The OCF connector logs

Cause

This warning occurs when Snowflake provides a data location URI that doesn’t match the expected format. Data location is optional metadata that specifies where table data is physically stored (such as cloud storage paths). Alation cannot interpret the specific location format returned by Snowflake for certain tables.

This behavior is not due to an error in your configuration; it’s due to variations in how Snowflake formats data location information.

Solution

No action is required from you. This is an informational warning that indicates:

1. Metadata extraction continues successfully for all table properties.

2. Alation cannot process only the optional data location information.

3. All essential metadata (tables, columns, schemas, etc.) is extracted normally.

4. Your data source functionality isn’t affected.

Test Connection Fails with Key Pair Authentication Errors

Test Connection fails when using key pair authentication with a Snowflake data source.

Authentication Setup Issues

You are configuring a Snowflake data source using key pair authentication. When you test the connection from the General Settings tab or attempt to connect to the data source, the connection fails with one of the following errors, preventing you from connecting to the Snowflake database:

• Error using the credentials for key pair authentication

• Error using the private key file

• Error using the credentials for key pair authentication: check the username of the private key

The error appears in the following locations:

• The Connection Test result dialog box

• The OCF connector logs

Cause

These errors occur when there are issues with the key pair authentication configuration. Common causes include:

• Invalid passphrase: The provided passphrase does not match the private key.

• Incorrect key format: The private key file is not in the required PKCS#8 format.

• Username mismatch: The specified username does not correspond to the user account that has the public key assigned in Snowflake.

Solution

Follow these steps to resolve key pair authentication issues:

1. Verify passphrase configuration

   1. Ensure you are providing the correct passphrase for the private key.

   2. If you generated the key without a passphrase, leave the passphrase field empty in Alation.

2. Check private key file format

   1. Verify the private key file is in PKCS#8 format.

   2. If needed, convert your key to PKCS#8 format following Snowflake documentation: Key-pair authentication and key-pair rotation.

3. Validate username and public key association

   1. Verify the username in Alation matches the Snowflake user account that has the public key assigned.

   2. Confirm the public key is properly associated with the user account by running this command in Snowflake:

      DESCRIBE USER <username>;
      

   3. The output should display the RSA_PUBLIC_KEY information for the specified user.

4. Re-test the connection

   Return to the data source General Settings tab and click Test Connection to verify the authentication is now working properly.

Enhanced Security Environment Issues

When you configure a Snowflake data source using key pair authentication, during test connection, the connection fails with one of the following errors:

• org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits

• salt must be at least 128 bits

• Error using the credentials for key pair authentication

These errors appear in the OCF connector logs and prevent successful authentication to Snowflake.

Cause

The Bouncy Castle enhanced security provider enforces these security requirements:

• Passphrase requirements: The passphrase must exceed 16 characters to meet the minimum 112-bit entropy requirement.

• Key encryption standards: The key encryption scheme must use approved algorithms with proper salt lengths (minimum 128 bits).

• Encryption compatibility: Keys generated with standard methods may use encryption schemes that don’t meet enhanced security compliance standards.

Solution

Generate enhanced security compatible RSA keys using the following procedure:

Important

The following examples use placeholder values that MUST be replaced with your own secure values:

• UseAReallyLongPassphrase - Replace with your own strong passphrase (minimum 17 characters)

• <alation_user> - Replace with your actual Snowflake username

• <your_public_key_content> - Replace with your actual public key content

Never use the example passphrase values in production environments.

1. Generate RSA key pair with strong passphrase:

   1. Create a new RSA key pair using a passphrase longer than 16 characters:

      ssh-keygen -t rsa -b 2048 -m pkcs8 -f rsa_key_new -N "UseAReallyLongPassphrase"
      

   2. Generate the public key in PKCS#8 format:

      ssh-keygen -f rsa_key_new.pub -e -m pkcs8 > rsa_key_new_pkcs8.pub.pem
      

2. Set public key in Snowflake and validate:

   1. Configure the public key on your Snowflake user account:

      ALTER USER <alation_user> SET RSA_PUBLIC_KEY_FP='<your_public_key_content>';
      

   2. Get Snowflake checksum:

      DESC USER <alation_user>;
      SELECT SUBSTR(
        (SELECT "value" FROM $1 WHERE "property" = 'RSA_PUBLIC_KEY_FP'),
        LEN('SHA256:') + 1) AS key;
      

   3. Generate system checksum:

      openssl pkey -pubin -in rsa_key_new_pkcs8.pub.pem -outform DER | openssl dgst -sha256 -binary | openssl base64 -A
      

   4. Verify the checksums match to confirm proper key installation.

3. Re-encrypt private key with enhanced security compatible settings:

   1. Convert the private key to PEM format using the same passphrase:

      ssh-keygen -p -m PEM -f rsa_key_new -P "UseAReallyLongPassphrase" -N "UseAReallyLongPassphrase"
      

   2. Create a PKCS#8 encrypted key with approved encryption (PBES2 + AES-256-CBC):

      openssl pkcs8 -topk8 -inform PEM -in rsa_key_new -out rsa_key_new_fips.p8 -v2 aes-256-cbc -iter 100000
      

   3. When prompted, enter the same long passphrase used during initial key generation.

4. Configure connector with enhanced security compatible key:

   Use the generated rsa_key_new_fips.p8 file when configuring the private key in the Snowflake connector settings. Provide the corresponding long passphrase when configuring the private key.

5. Test the connection:

   Go to the General Setting tab and click Test Connection to verify that the enhanced security compatible authentication is working properly.

Note

The enhanced security compatible key generation process creates keys that meet the strict security requirements of the Bouncy Castle cryptographic provider while maintaining compatibility with Snowflake’s authentication system. Always use the long passphrase and approved encryption settings to avoid cryptographic compliance errors.

New or Updated Objects Not Appearing in Alation

After performing metadata extraction on a Snowflake data source, a newly created or updated database object (such as a table or schema) does not appear in Alation.

Problem

You have created or updated a database object in Snowflake. After running metadata extraction (MDE) on the Snowflake data source, the new or updated object does not appear in Alation.

Cause

You may experience a delay in viewing new or updated metadata (such as tables, views, tags, or policies) in Alation. This is due to inherent latency in the Snowflake ACCOUNT_USAGE views, which Alation uses for metadata extraction.

Solution

Wait for the Snowflake ACCOUNT_USAGE views to refresh. The latency can vary (45 minutes to 3 hours of latency). For details, see Account Usage. After waiting, run metadata extraction again to see the new or updated object in Alation.