Configure an external volume for Azure¶

This topic covers how to grant Snowflake restricted access to your own Microsoft Azure container using an external volume. Snowflake supports the following Azure cloud storage services for external volumes:

Blob storage
Data Lake Storage Gen2
General-purpose v1
General-purpose v2

An administrator in your organization grants the IAM user permissions in your Azure account.

Note

Completing the instructions in this topic requires permissions in Azure to create and manage IAM policies and roles. If you are not an Azure administrator, ask your Azure administrator to perform these tasks.
To support data recovery, enable versioning for your external cloud storage location.

Step 1: Create an external volume in Snowflake¶

Create an external volume using the CREATE EXTERNAL VOLUME command.

Note

Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.

The following example creates an external volume that defines an Azure storage location with encryption:

CREATE EXTERNAL VOLUME exvol
  STORAGE_LOCATIONS =
    (
      (
        NAME = 'my-azure-northeurope'
        STORAGE_PROVIDER = 'AZURE'
        STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/'
        AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
      )
    );

Copy

Note

Use the azure:// prefix and not https:// when specifying a value for STORAGE_BASE_URL.

Step 2: Grant Snowflake access to the storage location¶

To retrieve a URL to the Microsoft permissions request page, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.

DESC EXTERNAL VOLUME exvol;

Copy

Record the values for the following properties:

Property	Description
`AZURE_CONSENT_URL`	URL to the Microsoft permissions request page.
`AZURE_MULTI_TENANT_APP_NAME`	Name of the Snowflake client application created for your account. In a later step in this section, you grant this application permission to obtain an access token on your allowed storage location.

You use these values in the following steps.

In a web browser, navigate to the Microsoft permissions request page (the AZURE_CONSENT_URL).
Select Accept. This action allows the Azure service principal created for your Snowflake account to obtain an access token on any resource inside your tenant. Obtaining an access token succeeds only if you grant the service principal the appropriate permissions on the container (see the next step).

The Microsoft permissions request page redirects to the Snowflake corporate site (snowflake.com).
Log in to the Microsoft Azure portal.
Go to Azure Services » Storage Accounts. Select the name of the storage account that the Snowflake service principal needs to access.

Note

You must set IAM permissions for an external volume at the storage account level, not the container level.
Select Access Control (IAM) » Add role assignment.
Select the Storage Blob Data Contributor role to grant read and write access to the Snowflake service principal.

Note

The Storage Blob Data Contributor role grants write access to the external volume location. To completely configure write access, set the ALLOW_WRITES parameter of the external volume to TRUE (the default value).
Search for the Snowflake service principal. This is the identity in the AZURE_MULTI_TENANT_APP_NAME property in the DESC EXTERNAL VOLUME output (in Step 1). Search for the string before the underscore in the AZURE_MULTI_TENANT_APP_NAME property.
Important
- It can take an hour or longer for Azure to create the Snowflake service principal requested through the Microsoft request page in this section. If the service principal is not available immediately, wait an hour or two and then search again.
- If you delete the service principal, the external volume stops working.
Select Review + assign.

Note

It can take up to 10 minutes for changes to take effect when you assign a role. For more information, see Symptom - Role assignment changes are not being detected in the Microsoft Azure documentation.

Note

To verify that your permissions are configured correctly, create an Iceberg table using this external volume. Snowflake doesn’t verify that your permissions are set correctly until you create an Iceberg table that references this external volume.

Next steps¶

After you configure an external volume, you can create an Iceberg table.

To create a read-only Iceberg table that uses an external catalog, see Configure a catalog integration for Iceberg tables.
To create an Iceberg table with full Snowflake platform support, see Create an Iceberg table with Snowflake as the catalog.