CREATE CATALOG INTEGRATION (Iceberg REST)¶

Creates a new catalog integration in the account or replaces an existing catalog integration for Iceberg tables managed in a remote catalog that complies with the open source Apache Iceberg REST OpenAPI specification.

Note

To create an integration for Polaris Catalog, see CREATE CATALOG INTEGRATION (Polaris Catalog) instead.

See also:

DROP CATALOG INTEGRATION , SHOW CATALOG INTEGRATIONS, DESCRIBE CATALOG INTEGRATION

Syntax¶

CREATE [ OR REPLACE ] CATALOG INTEGRATION [ IF NOT EXISTS ] <name>
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = '<namespace>'
  REST_CONFIG = (
    restConfigParams
  )
  REST_AUTHENTICATION = (
    restAuthenticationParams
  )
  ENABLED = { TRUE | FALSE }
  [ COMMENT = '<string_literal>' ]
Copy

Where:

restConfigParams ::=

  CATALOG_URI = '<rest_api_endpoint_url>'
  REST_PREFIX = '<prefix>'
  WAREHOUSE = '<warehouse_name>'
  CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY }
Copy

The restAuthenticationParams are as follows, depending on your authentication method:

OAuth

restAuthenticationParams (for OAuth) ::=

  TYPE = OAUTH
  OAUTH_TOKEN_URI = 'https://<token_server_uri>'
  OAUTH_CLIENT_ID = '<oauth_client_id>'
  OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
  OAUTH_ALLOWED_SCOPES = ('<scope_1>', '<scope_2>')
Copy

Bearer token

restAuthenticationParams (for Bearer token) ::=

  TYPE = BEARER
  BEARER_TOKEN = '<bearer_token>'
Copy

SigV4

restAuthenticationParams (for SigV4) ::=

  TYPE = SIGV4
  SIGV4_IAM_ROLE = '<iam_role_arn>'
  SIGV4_SIGNING_REGION = '<region>'
Copy

Parameters¶

name

String that specifies the identifier (name) for the catalog integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (for example, "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more information, see Identifier requirements.

CATALOG_SOURCE = ICEBERG_REST

Specifies that the catalog source is a REST catalog that’s compliant with the Apache Iceberg REST specification.

TABLE_FORMAT = ICEBERG

Specifies ICEBERG as the table format supplied by the catalog.

CATALOG_NAMESPACE = 'namespace'

Specifies the namespace in the external catalog. Snowflake uses this namespace for all Iceberg tables that you associated with this catalog integration.

You can override this value by specifying a namespace at the table level when you create a table.

ENABLED = { TRUE | FALSE }

Specifies whether the catalog integration is available to use for Iceberg tables.

  • TRUE allows users to create new Iceberg tables that reference this integration.

  • FALSE prevents users from creating new Iceberg tables that reference this integration.

COMMENT = 'string_literal'

String (literal) that specifies a comment for the integration.

Default: No value

REST configuration parameters (restConfigParams)¶

CATALOG_URI = 'rest_api_endpoint_url'

The endpoint URL for your catalog REST API.

REST_PREFIX

Optionally specifies a prefix to append to all API routes.

WAREHOUSE

Optionally specifies the warehouse location or identifier to request from your remote catalog service.

CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY }

Optionally specifies the connection type for the catalog API.

Default: PUBLIC

REST authentication parameters (restAuthenticationParams)¶

OAuth¶

TYPE = OAUTH

Specifies OAuth as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

OAUTH_TOKEN_URI = token_server_uri

Optional URL for your third-party identity provider. If not specified, Snowflake assumes that the remote catalog provider is the OAuth identity provider.

OAUTH_CLIENT_ID = oauth_client_id

Your OAuth2 client ID.

OAUTH_CLIENT_SECRET = oauth_client_secret

Your OAuth2 client secret.

OAUTH_ALLOWED_SCOPES = ( 'scope_1', 'scope_2' )

The scope of the OAuth token. The Iceberg REST API specification includes only one scope, but catalogs can support more than one scope in their implementation.

Bearer token¶

TYPE = BEARER

Specifies a bearer token as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

BEARER_TOKEN = bearer_token

The bearer token for your identity provider. You can alternatively specify a personal access token (PAT).

SigV4¶

TYPE = SIGV4

Specifies Signature Version 4 as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

SIGV4_IAM_ROLE = 'iam_role_arn'

Specifies the Amazon Resource Name (ARN) for an IAM role that has permission to access your REST API in API Gateway.

SIGV4_SIGNING_REGION = 'region'

Optionally specifies the AWS Region associated with your API in API Gateway. If you don’t specify this parameter, Snowflake uses the region in which your Snowflake account is deployed.

Access control requirements¶

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

CREATE INTEGRATION

Account

Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

  • Catalog integrations provide read-only access to external Iceberg catalogs.

  • You can’t modify an existing catalog integration; use a CREATE OR REPLACE CATALOG INTEGRATION statement instead.

  • You can’t drop or replace a catalog integration if one or more Iceberg tables are associated with the catalog integration.

    To view the tables that depend on a catalog integration, you can use the SHOW ICEBERG TABLES command and a query using RESULT_SCAN that filters on the catalog_name column.

    Note

    The column identifier (catalog_name) is case-sensitive. Specify the column identifier exactly as it appears in the SHOW ICEBERG TABLES output.

    For example:

    SHOW ICEBERG TABLES;

SELECT * FROM TABLE(
  RESULT_SCAN(
      LAST_QUERY_ID()
    )
  )
  WHERE "catalog_name" = 'my_catalog_integration_1';
    Copy

  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

  • CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

Examples¶

The following example creates a REST catalog integration that uses OAuth to connect to Tabular.

CREATE OR REPLACE CATALOG INTEGRATION tabular_catalog_int
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'default'
  REST_CONFIG = (
    CATALOG_URI = 'https://api.tabular.io/ws'
    WAREHOUSE = '<tabular_warehouse_name>'
  )
  REST_AUTHENTICATION = (
    TYPE = OAUTH
    OAUTH_TOKEN_URI = 'https://api.tabular.io/ws/v1/oauth/tokens'
    OAUTH_CLIENT_ID = '<oauth_client_id>'
    OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
    OAUTH_ALLOWED_SCOPES = ('catalog')
  )
  ENABLED = TRUE;
Copy
Language: English