azure azure-devops azure-pipelines snowflake-cloud-data-platform azure-keyvault

Azure DevOps Pipeline Error: Password Not an Integer in snowsql Command

I'm encountering an issue with my Azure DevOps pipeline where I'm trying to run a snowsql command with a password retrieved from Azure Key Vault. The pipeline retrieves the secret correctly, but when I use it in the snowsql command, I get an error stating that the password is not an integer.

Here is the relevant part of my pipeline script:

- script: |
    export PATH=$PATH:~/snowflake
    echo "Running Snowflake Initialization Scripts..."
    ~/snowflake/snowsql -a "$SNOWSQL_ACCOUNT" -u "$SNOWSQL_USER" -r "$SNOWSQL_ROLE" -w "$SNOWSQL_WAREHOUSE" -p "$(SnowflakePassword)" -f scripts/1_initialize_db.sql
  displayName: 'Run Snowflake Initialization Scripts'

Error message:

Running Snowflake Initialization Scripts...
<my snowflake secret password> is not a valid integer
Try "snowsql --help" for more information.

##[error]Bash exited with code '2'.

I am seeing the secret value in the error so I am getting it back. Just not sure how to update the script to not capture as an integer.

What I've tried:

Verified secret in Key Vault: the secret is correctly stored in Azure Key Vault.
Checked access policies: the service principal has Get and List permissions for the secret.
Used variable expansion: ensured that the variable is correctly expanded using curly braces.

Observations

When I use curly brackets for variable expansion, the password appears blank in the error message.
When I use the password with round brackets, it shows the actual password but results in the same error.

Additional information:

The password contains special characters.
I have verified the environment variable is set correctly by printing it before running the snowsql command.

Question

How can I correctly pass the password retrieved from Azure Key Vault to the snowsql command in my Azure DevOps pipeline without encountering the "not an integer" error?

Thank you for your help!

Solution

Consider setting environment variables at the task level - it might help to avoid issues such as encoding, special characters, etc.

Instead of specifying the password in the command line:

- script: |
    export PATH=$PATH:~/snowflake
    echo "Running Snowflake Initialization Scripts..."

    ~/snowflake/snowsql ... -p "$(SnowflakePassword)" ...
  displayName: 'Run Snowflake Initialization Scripts'

Try using the SNOWSQL_PWD environment variable, as per Specifying passwords when connecting:

- script: |
    export PATH=$PATH:~/snowflake
    echo "Running Snowflake Initialization Scripts..."

    # snowsql command WITHOUT the -p option
    ~/snowflake/snowsql ...
  displayName: 'Run Snowflake Initialization Scripts'
  env:
    SNOWSQL_PWD: $(SnowflakePassword) # <----------------- set environment variable