CREATE CATALOG INTEGRATION (Apache Iceberg™ REST)

Creates a new catalog integration in the account or replaces an existing catalog integration for Apache Iceberg™ tables managed in a remote catalog that complies with the open source Apache Iceberg™ REST OpenAPI specification.

Note

To create an integration for Snowflake Open Catalog, see CREATE CATALOG INTEGRATION (Snowflake Open Catalog) instead.

See also:

ALTER CATALOG INTEGRATION , DROP CATALOG INTEGRATION , SHOW CATALOG INTEGRATIONS, DESCRIBE CATALOG INTEGRATION

Syntax

CREATE [ OR REPLACE ] CATALOG INTEGRATION [ IF NOT EXISTS ] <name>
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = '<namespace>'
  REST_CONFIG = (
    restConfigParams
  )
  REST_AUTHENTICATION = (
    restAuthenticationParams
  )
  ENABLED = { TRUE | FALSE }
  [ REFRESH_INTERVAL_SECONDS = <value> ]
  [ COMMENT = '<string_literal>' ]
Copy

Where:

restConfigParams ::=

  CATALOG_URI = '<rest_api_endpoint_url>'
  [ PREFIX = '<prefix>' ]
  [ WAREHOUSE = '<warehouse_name>' ]
  [ CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY } ]
Copy

The restAuthenticationParams are as follows, depending on your authentication method:

OAuth

restAuthenticationParams (for OAuth) ::=

  TYPE = OAUTH
  [ OAUTH_TOKEN_URI = 'https://<token_server_uri>' ]
  OAUTH_CLIENT_ID = '<oauth_client_id>'
  OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
  OAUTH_ALLOWED_SCOPES = ('<scope_1>', '<scope_2>')
Copy

Bearer token

restAuthenticationParams (for Bearer token) ::=

  TYPE = BEARER
  BEARER_TOKEN = '<bearer_token>'
Copy

SigV4

restAuthenticationParams (for SigV4) ::=

  TYPE = SIGV4
  SIGV4_IAM_ROLE = '<iam_role_arn>'
  [ SIGV4_SIGNING_REGION = '<region>' ]
  [ SIGV4_EXTERNAL_ID = '<external_id>' ]
Copy

Parameters

name

String that specifies the identifier (name) for the catalog integration; must be unique in your account.

In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (for example, "My object"). Identifiers enclosed in double quotes are also case-sensitive.

For more information, see Identifier requirements.

CATALOG_SOURCE = ICEBERG_REST

Specifies that the catalog source is a REST catalog that’s compliant with the Apache Iceberg REST specification.

TABLE_FORMAT = ICEBERG

Specifies ICEBERG as the table format supplied by the catalog.

CATALOG_NAMESPACE = 'namespace'

Specifies the namespace in the external catalog. Snowflake uses this namespace for all Iceberg tables that you associate with this catalog integration.

You can override this value by specifying a namespace at the table level using the CATALOG_NAMESPACE parameter for CREATE ICEBERG TABLE (Iceberg REST catalog).

ENABLED = { TRUE | FALSE }

Specifies whether the catalog integration is available to use for Iceberg tables.

  • TRUE allows users to create new Iceberg tables that reference this integration.

  • FALSE prevents users from creating new Iceberg tables that reference this integration.

REFRESH_INTERVAL_SECONDS = value

Specifies the number of seconds that Snowflake waits between attempts to poll the external Iceberg catalog for metadata updates for automated refresh.

Values: 30 to 86400, inclusive

Default: 30 seconds

COMMENT = 'string_literal'

String (literal) that specifies a comment for the integration.

Default: No value

REST configuration parameters (restConfigParams)

CATALOG_URI = 'rest_api_endpoint_url'

The endpoint URL for your catalog REST API.

PREFIX

Optionally specifies a prefix to append to all API routes.

WAREHOUSE

Specifies the warehouse location (catalog) or identifier to request from your remote catalog service. This parameter is required by some third-party catalog services. Check with your catalog provider to determine whether you must specify a warehouse.

CATALOG_API_TYPE = { PUBLIC | AWS_API_GATEWAY | AWS_PRIVATE_API_GATEWAY }

Specifies the connection type for the catalog API. Required for SigV4 authentication; otherwise, this parameter is optional.

  • PUBLIC specifies an API that is publicly accessible and isn’t managed using Amazon API Gateway; used for non-SigV4 APIs.

  • AWS_API_GATEWAY specifies a public API managed using Amazon API Gateway.

  • AWS_PRIVATE_API_GATEWAY specifies a private API managed using Amazon API Gateway.

Default: PUBLIC

REST authentication parameters (restAuthenticationParams)

OAuth

TYPE = OAUTH

Specifies OAuth as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

OAUTH_TOKEN_URI = token_server_uri

Optional URL for your third-party identity provider. If not specified, Snowflake assumes that the remote catalog provider is the OAuth identity provider.

OAUTH_CLIENT_ID = oauth_client_id

Your OAuth2 client ID.

OAUTH_CLIENT_SECRET = oauth_client_secret

Your OAuth2 client secret.

OAUTH_ALLOWED_SCOPES = ( 'scope_1', 'scope_2' )

The scope of the OAuth token. The Iceberg REST API specification includes only one scope, but catalogs can support more than one scope in their implementation.

Bearer token

TYPE = BEARER

Specifies a bearer token as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

BEARER_TOKEN = bearer_token

The bearer token for your identity provider. You can alternatively specify a personal access token (PAT).

SigV4

TYPE = SIGV4

Specifies Signature Version 4 as the authentication type for Snowflake to use to connect to your Iceberg REST catalog.

SIGV4_IAM_ROLE = 'iam_role_arn'

Specifies the Amazon Resource Name (ARN) for an IAM role that has permission to access your REST API in API Gateway.

SIGV4_SIGNING_REGION = 'region'

Optionally specifies the AWS Region associated with your API in API Gateway. If you don’t specify this parameter, Snowflake uses the region in which your Snowflake account is deployed.

SIGV4_EXTERNAL_ID = 'external_id'

Optionally specifies an external ID that Snowflake uses to establish a trust relationship with AWS. You must specify the same external ID in the trust policy of the IAM role that you configured for this catalog integration.

If you don’t specify a value for this parameter, Snowflake automatically generates a unique external ID when you create (or replace) a catalog integration.

For more information about external IDs, see How to use an external ID when granting access to your AWS resources to a third party.

Access control requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege

Object

Notes

CREATE INTEGRATION

Account

Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes

  • Catalog integrations provide read-only access to external Iceberg catalogs.

  • You can’t modify an existing catalog integration; use a CREATE OR REPLACE CATALOG INTEGRATION statement instead.

  • You can’t drop or replace a catalog integration if one or more Apache Iceberg™ tables are associated with the catalog integration.

    To view the tables that depend on a catalog integration, you can use the SHOW ICEBERG TABLES command and a query using RESULT_SCAN that filters on the catalog_name column.

    Note

    The column identifier (catalog_name) is case-sensitive. Specify the column identifier exactly as it appears in the SHOW ICEBERG TABLES output.

    For example:

    SHOW ICEBERG TABLES;
    
    SELECT * FROM TABLE(
      RESULT_SCAN(
          LAST_QUERY_ID()
        )
      )
      WHERE "catalog_name" = 'my_catalog_integration_1';
    
    Copy
  • Regarding metadata:

    Attention

    Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.

  • CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.

Examples

The following example creates a REST catalog integration that uses OAuth to connect to Tabular. It sets a default namespace using the CATALOG_NAMESPACE parameter.

To override the default namespace at the table level, use the CATALOG_NAMESPACE parameter for CREATE ICEBERG TABLE.

CREATE OR REPLACE CATALOG INTEGRATION tabular_catalog_int
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'default'
  REST_CONFIG = (
    CATALOG_URI = 'https://api.tabular.io/ws'
    WAREHOUSE = '<tabular_warehouse_name>'
  )
  REST_AUTHENTICATION = (
    TYPE = OAUTH
    OAUTH_TOKEN_URI = 'https://api.tabular.io/ws/v1/oauth/tokens'
    OAUTH_CLIENT_ID = '<oauth_client_id>'
    OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
    OAUTH_ALLOWED_SCOPES = ('catalog')
  )
  ENABLED = TRUE;
Copy

For examples that cover the other authentication options, see Configure a catalog integration for Apache Iceberg™ REST catalogs.