Use catalog-vended credentials for Apache Iceberg™ tables

Vended credential support for Iceberg tables lets you give Snowflake access to your table data and metadata in cloud storage without using an external volume.

Instead, you configure and delegate access control with your third-party Iceberg REST catalog (such as Snowflake Open Catalog), then create a catalog integration in Snowflake configured for vended credentials. For any Iceberg table associated with the catalog integration, Snowflake uses credentials vended by your catalog provider to securely connect to your external cloud storage.

Note

Using catalog-vended credentials is supported for externally managed Iceberg tables that use a REST catalog integration and store their files in Amazon S3. To use this feature, your external catalog must also support credential vending.

Considerations

Consider the following when you use catalog-vended credentials for Iceberg tables:

  • This feature is supported only for tables that store their data and metadata in Amazon S3.

  • Table files must be stored in a single bucket; they can’t be spread across multiple buckets.

  • The service principal configured with your REST catalog must have permission to read from all of the locations that contain your table files in your bucket.

  • Snowflake expects your catalog to provide an expiration time for vended credentials, and looks for a key-value pair where the key is expiration-time, and the value is a timestamp that specifies the expiration time in milliseconds (for example, 1730234407000).

    If your catalog doesn’t provide an expiration time, Snowflake assumes that the credentials expire 60 minutes after receipt.

  • Table creation fails if your catalog provides invalid credentials.

Create a catalog integration for vended credentials

To create a catalog integration for vended credentials, use the CREATE CATALOG INTEGRATION (Apache Iceberg™ REST) command with the ACCESS_DELEGATION_MODE parameter set to VENDED_CREDENTIALS.

Where:

ACCESS_DELEGATION_MODE = {VENDED_CREDENTIALS | EXTERNAL_VOLUME_CREDENTIALS}

Specifies the access delegation mode to use for accessing Iceberg table files in your external cloud storage.

  • VENDED_CREDENTIALS specifies that Snowflake should use vended credentials.

  • EXTERNAL_VOLUME_CREDENTIALS specifies that Snowflake should use an external volume.

Default: EXTERNAL_VOLUME_CREDENTIALS

For more information about creating a REST catalog integration, see Configure a catalog integration for Apache Iceberg™ REST catalogs or Configure a catalog integration for Snowflake Open Catalog.

Example: Snowflake Open Catalog

The following example creates a catalog integration for Snowflake Open Catalog using vended credentials:

CREATE OR REPLACE CATALOG INTEGRATION open_catalog_int_vended_credentials
  CATALOG_SOURCE = POLARIS
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'my-namespace'
  REST_CONFIG = (
    CATALOG_URI = 'https://myrestapi.com/polaris/api/catalog'
    CATALOG_NAME = 'my_catalog_name'
    ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS
  )
  REST_AUTHENTICATION = (
    TYPE = OAUTH
    OAUTH_CLIENT_ID = 'my_client_id'
    OAUTH_CLIENT_SECRET = 'my_client_secret'
    OAUTH_ALLOWED_SCOPES = ('PRINCIPAL_ROLE:ALL')
  )
  ENABLED = TRUE;
Copy

Example: SigV4 and Amazon API Gateway

This example creates a catalog integration that uses SigV4 authentication with vended credentials:

CREATE OR REPLACE CATALOG INTEGRATION my_rest_catalog_integration
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'my_namespace'
  REST_CONFIG = (
    CATALOG_URI = 'https://asdlkfjwoalk-execute-api.us-west-2-amazonaws.com/MyApiStage'
    ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS
  )
  REST_AUTHENTICATION = (
    TYPE = SIGV4
    SIGV4_IAM_ROLE = 'arn:aws:iam::123456789012:role/my_api_permissions_role'
  )
  ENABLED = TRUE;
Copy

Example: Amazon S3 Tables

This example creates a catalog integration for Amazon S3 tables with SigV4 credential vending enabled using Lake Formation.

CREATE OR REPLACE CATALOG INTEGRATION my_s3_tables_catalog_integration
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'my_namespace'
  REST_CONFIG = (
    CATALOG_URI = 'https://glue.us-west-2.amazonaws.com/iceberg'
    CATALOG_API_TYPE = AWS_GLUE
    CATALOG_NAME = '123456789012:S3tablescatalog/my_table_bucket'
    ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS
  )
  REST_AUTHENTICATION = (
    TYPE = SIGV4
    SIGV4_IAM_ROLE = 'arn:aws:iam::123456789012:role/my_api_permissions_role'
  )
  ENABLED = TRUE;
Copy

Where:

CATALOG_URI = 'https://glue.us-west-2.amazonaws.com/iceberg'

Specifies the AWS Glue Iceberg REST endpoint.

CATALOG_NAME = 'aws_account_id:s3tablescatalog/s3_table_bucket

Specifies an S3 table bucket in your AWS account.

Create an Iceberg table that uses vended credentials

After you set up access control with your third-party Iceberg REST catalog and create a catalog integration for vended credentials, you can create an Iceberg table.

When you create an Iceberg table that uses vended credentials, you must specify a catalog integration configured with ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS and omit the EXTERNAL_VOLUME parameter from the CREATE ICEBERG TABLE (Iceberg REST catalog) statement.

For example:

CREATE ICEBERG TABLE my_iceberg_table
  CATALOG = open_catalog_int_vended_credentials
  CATALOG_TABLE_NAME = 'my_table';
Copy

Note

If you’ve set a default external volume at the account, database, or schema level, Snowflake ignores the default external volume during table creation as long as you specify a catalog integration configured to use vended credentials.

Language: English