Skip to content

Integration

Integration

API

  • allows access to HTTPS proxy service and stores details such as: provider (eg AWS), identifier and access control (IAM Role)
  • two types: Cloud provider API and git_https_api

EXTERNAL ACCESS

  • allows accessing external network

NOTIFICATION

  • types:
    1. Queues: AWS SNS, GCP pubsub (both inbound/outbound), Azure event grid (both inbound/outbound)
    2. Email
    3. Webhook
  • push (type=queue): snowpipe error
  • automated (type=queue direction=outbound): snowpipe data loads directory/external table metadata refreshes
    • Note: GCP and Azure only; Snowflake on AWS uses SQS
  • email: Always uses AWS SES
    • emails can only be sent to Snowflake users with verified email
    • can restrict to sending specific emails allowed_recipients, and/or specify default_recipients
    • used by system$send_email stored-proc to send emails
  • webhook

sending notifications

  • stored-proc system$send_snowflake_notification can send message using notification integration to email, webhook or queues
  • message is specified as {"<content_type>" : "<message_contents>" }
    • content-type can be text/plain, text/html or application/json
  • integration is specified as {"<integration>": {<options>}}
    • e.g. { "my_email_int": { "subject" : "Different subject" }, { "toAddress": ["person_a@example.com"] }
  • for webhook notification

SECURITY

  1. TYPE=API_AUTHENTICATION
  2. TYPE=EXTERNAL_OATH
  3. TYPE=OAUTH (Snowflake OAuth): For partner applications (TABLEAU_DESKTOP, TABLEAU_SERVER or LOOKER) or custom applications
  4. TYPE=SAML2: Specify URLs as
    • SAML2_SNOWFLAKE_ISSUER_URL (https://<org>-<acct>.snowflakecomputing.com)
    • SAML2_SNOWFLAKE_ACS_URL (https://<org>-<acct>.privatelink.snowflakecomputing.com/fed/login)
  5. TYPE=SCIM
    • Supports SCIM_CLIENT = OKTA, AZURE OR CUSTOM
    • Can use NETWORK_POLICY

STORAGE

  • Snowflake creates a single IAM user that is referenced by all storage integrations
  • One storage integration can support multiple external stages as long as it aligns with storage_allowed_locations

CATALOG

Create Integration (AWS)

  1. Create a policy that grants following permissions
    • notification: sns:publish on the SNS topic ARN
    • storage: s3:GetBucketLocation, s3:ListBucket for buckets, and s3:GetObject, s3:GetObjectVersion for objects; s3:PutObject and s3:DeleteObject for write to S3
    • glue catalog glue:GetTable and glue:GetTables permissions and Resource list (table, catalog and database patterns)
  2. Create AWS role (another AWS account, require external ID), selecting the policy created above
  3. create integration
    • notification integration with direction = outbound and SNS topic ARN and IAM role ARN
    • storage integration using IAM Role ARN
  4. describe integration and note down {STORAGE/SF/GLUE}_AWS_IAM_USER_ARN and {STORAGE/SF/GLUE}_AWS_EXTERNAL_ID
  5. edit the IAM role, modify trust relationship to allow sts:AssumeRole permission to IAM User, and Condition that checks sts:ExternalId