CREATE CATALOG INTEGRATION (Apache Iceberg™ REST)¶

Creates a new catalog integration in the account or replaces an existing catalog integration for Apache Iceberg™ tables managed in a remote catalog that complies with the open source Apache Iceberg™ REST OpenAPI specification.

Note

To create an integration for Snowflake Open Catalog, see CREATE CATALOG INTEGRATION (Snowflake Open Catalog) instead.

See also:: ALTER CATALOG INTEGRATION , DROP CATALOG INTEGRATION , SHOW CATALOG INTEGRATIONS, DESCRIBE CATALOG INTEGRATION

Syntax¶

CREATE [ OR REPLACE ] CATALOG INTEGRATION [ IF NOT EXISTS ] <name>
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = '<namespace>'
  REST_CONFIG = (
    restConfigParams
  )
  REST_AUTHENTICATION = (
    restAuthenticationParams
  )
  ENABLED = { TRUE | FALSE }
  [ REFRESH_INTERVAL_SECONDS = <value> ]
  [ COMMENT = '<string_literal>' ]

Copy

Where:

restConfigParams ::=

  CATALOG_URI = '<rest_api_endpoint_url>'
  PREFIX = '<prefix>'
  WAREHOUSE = '<warehouse_name>'
  CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY }

Copy

The restAuthenticationParams are as follows, depending on your authentication method:

OAuth

restAuthenticationParams (for OAuth) ::=

  TYPE = OAUTH
  OAUTH_TOKEN_URI = 'https://<token_server_uri>'
  OAUTH_CLIENT_ID = '<oauth_client_id>'
  OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
  OAUTH_ALLOWED_SCOPES = ('<scope_1>', '<scope_2>')

Copy

Bearer token

restAuthenticationParams (for Bearer token) ::=

  TYPE = BEARER
  BEARER_TOKEN = '<bearer_token>'

Copy

SigV4

restAuthenticationParams (for SigV4) ::=

  TYPE = SIGV4
  SIGV4_IAM_ROLE = '<iam_role_arn>'
  SIGV4_SIGNING_REGION = '<region>'

Copy

Parameters¶

name

String that specifies the identifier (name) for the catalog integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (for example, "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more information, see Identifier requirements.

CATALOG_SOURCE = ICEBERG_REST

Specifies that the catalog source is a REST catalog that’s compliant with the Apache Iceberg REST specification.

TABLE_FORMAT = ICEBERG

Specifies ICEBERG as the table format supplied by the catalog.

CATALOG_NAMESPACE = 'namespace'

Specifies the namespace in the external catalog. Snowflake uses this namespace for all Iceberg tables that you associated with this catalog integration.

You can override this value by specifying a namespace at the table level when you create a table.

ENABLED = { TRUE | FALSE }

Specifies whether the catalog integration is available to use for Iceberg tables.

TRUE allows users to create new Iceberg tables that reference this integration.

FALSE prevents users from creating new Iceberg tables that reference this integration.

REFRESH_INTERVAL_SECONDS = value

Specifies the number of seconds that Snowflake waits between attempts to poll the external Iceberg catalog for metadata updates for automated refresh.

Values: 30 to 86400, inclusive

Default: 30 seconds

COMMENT = 'string_literal'

String (literal) that specifies a comment for the integration.

Default: No value

REST configuration parameters (restConfigParams)¶

CATALOG_URI = 'rest_api_endpoint_url'

The endpoint URL for your catalog REST API.

PREFIX

Optionally specifies a prefix to append to all API routes.

WAREHOUSE

Optionally specifies the warehouse location or identifier to request from your remote catalog service.

CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY }

Specifies the connection type for the catalog API. Required for SigV4 authentication; otherwise, this parameter is optional.

PUBLIC specifies an API that is publicly accessible and isn’t managed using AWS API Gateway; used for non-SigV4 APIs.
AWS_API_GATEWAY specifies a public API managed using AWS API Gateway.
AWS_PRIVATE_API_GATEWAY specifies a private API managed using AWS API Gateway.

Default: PUBLIC

REST authentication parameters (restAuthenticationParams)¶

OAuth¶

TYPE = OAUTH: Specifies OAuth as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.
OAUTH_TOKEN_URI = token_server_uri: Optional URL for your third-party identity provider. If not specified, Snowflake assumes that the remote catalog provider is the OAuth identity provider.
OAUTH_CLIENT_ID = oauth_client_id: Your OAuth2 client ID.
OAUTH_CLIENT_SECRET = oauth_client_secret: Your OAuth2 client secret.
OAUTH_ALLOWED_SCOPES = ( 'scope_1', 'scope_2' ): The scope of the OAuth token. The Iceberg REST API specification includes only one scope, but catalogs can support more than one scope in their implementation.

Bearer token¶

TYPE = BEARER: Specifies a bearer token as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.
BEARER_TOKEN = bearer_token: The bearer token for your identity provider. You can alternatively specify a personal access token (PAT).

SigV4¶

TYPE = SIGV4: Specifies Signature Version 4 as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.
SIGV4_IAM_ROLE = 'iam_role_arn': Specifies the Amazon Resource Name (ARN) for an IAM role that has permission to access your REST API in API Gateway.
SIGV4_SIGNING_REGION = 'region': Optionally specifies the AWS Region associated with your API in API Gateway. If you don’t specify this parameter, Snowflake uses the region in which your Snowflake account is deployed.

Access control requirements¶

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege	Object	Notes
CREATE INTEGRATION	Account	Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

Catalog integrations provide read-only access to external Iceberg catalogs.
You can’t modify an existing catalog integration; use a CREATE OR REPLACE CATALOG INTEGRATION statement instead.
You can’t drop or replace a catalog integration if one or more Apache Iceberg™ tables are associated with the catalog integration.

To view the tables that depend on a catalog integration, you can use the SHOW ICEBERG TABLES command and a query using RESULT_SCAN that filters on the catalog_name column.

Note

The column identifier (catalog_name) is case-sensitive. Specify the column identifier exactly as it appears in the SHOW ICEBERG TABLES output.

For example:
```
SHOW ICEBERG TABLES;

SELECT * FROM TABLE(
  RESULT_SCAN(
      LAST_QUERY_ID()
    )
  )
  WHERE "catalog_name" = 'my_catalog_integration_1';
```
Copy
Regarding metadata:

Attention

Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

Examples¶

The following example creates a REST catalog integration that uses OAuth to connect to Tabular.

CREATE OR REPLACE CATALOG INTEGRATION tabular_catalog_int
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'default'
  REST_CONFIG = (
    CATALOG_URI = 'https://api.tabular.io/ws'
    WAREHOUSE = '<tabular_warehouse_name>'
  )
  REST_AUTHENTICATION = (
    TYPE = OAUTH
    OAUTH_TOKEN_URI = 'https://api.tabular.io/ws/v1/oauth/tokens'
    OAUTH_CLIENT_ID = '<oauth_client_id>'
    OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
    OAUTH_ALLOWED_SCOPES = ('catalog')
  )
  ENABLED = TRUE;

Copy