Categories:

User & Security DDL (Third-Party Service Integrations)

CREATE API INTEGRATION

Creates a new API integration object in the account, or replaces an existing API integration.

An API integration object stores information about an HTTPS proxy service, including information about:

  • The cloud platform provider (e.g. Amazon AWS).

  • The type of proxy service (in case the cloud platform provider offers more than one type of proxy service).

  • The identifier and access credentials for a cloud platform role that has sufficient privileges to use the proxy service. For example, on AWS, the role’s ARN (Amazon resource name) serves as the identifier and access credentials.

    When this cloud user is granted appropriate privileges, Snowflake can use this user to access resources on the proxy service (an instance of the cloud platform’s native HTTPS proxy service, for example, an instance of an Amazon AWS API Gateway).

  • An API integration object also specifies allowed (and optionally blocked) endpoints and resources on those proxy services.

See also:

ALTER API INTEGRATION , DROP INTEGRATION , SHOW INTEGRATIONS , External Functions , CREATE EXTERNAL FUNCTION

In this Topic:

Syntax

The syntax is different for each cloud platform.

For Amazon AWS API Gateway

CREATE [ OR REPLACE ] API INTEGRATION [ IF NOT EXISTS ] <integration_name>
    API_PROVIDER = <provider_info>
    API_AWS_ROLE_ARN = '<iam_role>'
    ENABLED = { TRUE | FALSE }
    API_ALLOWED_PREFIXES = ('<...>')
    [ API_BLOCKED_PREFIXES = ('<...>') ]
    [ COMMENT = '<string_literal>' ]
    ;

Required Parameters

For Amazon AWS API Gateway

integration_name

Specifies the name of the API integration. This name follows the rules for Object Identifiers. The name should be unique among API integrations in the current schema.

provider_info

Specifies the HTTPS proxy service type. Valid values are:

  • aws_api_gateway: for Amazon AWS API Gateway.

iam_role

For Amazon AWS, this is the ARN (Amazon resource name) of a cloud platform role.

ENABLED = < TRUE | FALSE >

Specifies whether this API integration is enabled or disabled. If the API integration is disabled, any external function that relies on it will not work.

The value is case-insensitive.

The default is TRUE.

API_ALLOWED_PREFIXES = (...)

Explicitly limits external functions that use the integration to reference one or more HTTPS proxy service endpoints (e.g. Amazon AWS API Gateway) and resources within those proxies. Supports a comma-separated list of URLs, which are treated as prefixes (for details, see below).

Each URL in API_ALLOWED_PREFIXES = (...) is treated as a prefix. For example, if you specify:

https://xyz.amazonaws.com/production/

that means all resources under

https://xyz.amazonaws.com/production/

are allowed. For example the following is allowed:

https://xyz.amazonaws.com/production/ml1

To maximize security, you should restrict allowed locations as narrowly as practical.

Optional Parameters

API_BLOCKED_PREFIXES = (...)

Lists the endpoints and resources in the HTTPS proxy service that are not allowed to be called from Snowflake.

The possible values for locations follow the same rules as for API_ALLOWED_PREFIXES above.

API_BLOCKED_PREFIXES takes precedence over API_ALLOWED_PREFIXES. If a prefix matches both, then it is blocked. In other words, Snowflake allows all values that match API_ALLOWED_PREFIXES except values that also match API_BLOCKED_PREFIXES.

If a value is outside API_ALLOWED_PREFIXES, you do not need to explicitly block it.

COMMENT = '<string_literal>'

A description of the external function.

Usage Notes

  • Only Snowflake users who have the ACCOUNTADMIN role or who have a role with the global CREATE INTEGRATION privilege can execute CREATE API INTEGRATION.

  • Only Snowflake roles with OWNERSHIP or USAGE privileges on the API integration can use the API integration directly, for example by creating an external function that specifies that API integration.

  • An API integration object is tied to a specific cloud platform account and role within that account, but not to a specific HTTPS proxy URL. You can create more than one instance of an HTTPS proxy service in a cloud provider account, and you can use the same API integration to authenticate to multiple proxy services in that account.

  • Your Snowflake account can have multiple API integration objects, for example, for different cloud platform accounts.

  • Multiple external functions can use the same API integration object, and thus the same HTTPS proxy service.

  • On AWS, external functions require regional endpoints. For details, see Amazon AWS API Gateway.

Examples

This example shows creation of an API integration and use of that API integration in a subsequent CREATE EXTERNAL FUNCTION statement:

create or replace api integration demonstration_external_api_integration_01
    api_provider=aws_api_gateway
    api_aws_role_arn='arn:aws:iam::123456789012:role/my_cloud_account_role'
    api_allowed_prefixes=('https://xyz.execute-api.us-west-2.amazonaws.com/production')
    enabled=true;

create or replace external function local_echo(string_col VARCHAR)
    returns variant
    api_integration = demonstration_external_api_integration_01
    as 'https://xyz.execute-api.us-west-2.amazonaws.com/production/remote_echo';