Step 4: Link the API Integration for Azure to the Proxy Service in the Portal
When an external function is called, Snowflake sends an HTTP POST command to the proxy service (i.e. Azure API Management service), which
relays the POST to the remote service (i.e. Azure Functions). A service principal in your Azure AD tenant allows Snowflake to
authenticate with Azure AD when calling the API Management service in your tenant.
This topic provides instructions for creating a service principal to link the API integration you created in the previous step with
your Azure API Management service. The instructions are the same regardless of whether you are using the Azure Portal or ARM template.
For more information about service principals, see the Microsoft documentation:
Applications and service principals.
Obtain the App Name and Consent URL for the API Integration
Before you create a service principal, you need some information about the API integration:
If you haven’t already, log into the Snowflake web interface.
Execute the DESCRIBE INTEGRATION command for the API integration you created in the previous step:
describe api integration <integration_name>;
From the DESCRIBE results:
Record the app name (from the AZURE_MULTI_TENANT_APP_NAME column) in the corresponding field in your tracking worksheet.
Record the consent URL (from the AZURE_CONSENT_URL column) in the corresponding field in your tracking worksheet.
The URL looks similar to the following:
Grant Snowflake Access to Your Azure Tenancy
To grant Snowflake access to your Azure tenancy, you need the AZURE_CONSENT_URL that you recorded earlier:
Paste the URL into your browser. When your browser resolves this URL, Azure automatically creates a service principal that represents
Snowflake in the tenant.
Note that you only need to create a service principal for Snowflake once per tenancy. After Snowflake has been granted access, access
does not need to be granted again. In other words, you do not need to grant access again for each new external function you create for
If Snowflake has already been granted access to your Azure tenancy, you should see the Snowflake web site, which should show something
similar to SNOWFLAKE THE CLOUD DATA PLATFORM. You can then skip the remaining tasks and proceed to
Step 5: Create the External Function for Azure in Snowflake.
If Snowflake has not yet been granted access, you should see a Microsoft Permissions requested page, and you should continue
to the next task.
Click the Accept button. This allows the Azure service principal created for your Snowflake account to obtain an access token
on any resource inside your Azure AD tenant.
At this point, you have finished creating a service principal in your tenant to represent Snowflake.
However, to enhance security, you should ensure that only authorized clients can access your Azure Function. Instructions for controlling
access are provided in the final step of the creation process.