Configure an external volume for Google Cloud Storage

This topic covers how to grant Snowflake restricted access to a Google Cloud Storage (GCS) bucket using an external volume.

An administrator in your organization grants the IAM user permissions in your Google Cloud account.

Note

  • To complete the instructions in this topic, you must have permissions in Google Cloud to create and manage IAM policies and roles. If you are not a Google Cloud administrator, ask your Google Cloud administrator to perform these tasks.

  • To support data recovery, enable versioning for your external cloud storage location.

Step 1: Create an external volume in Snowflake

Create an external volume using the CREATE EXTERNAL VOLUME command.

Note

Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.

The following example creates an external volume that defines a single GCS storage location with encryption:

CREATE EXTERNAL VOLUME exvol
  STORAGE_LOCATIONS =
    (
      (
        NAME = 'my-us-east-1'
        STORAGE_PROVIDER = 'GCS'
        STORAGE_BASE_URL = 'gcs://mybucket1/path1/'
        ENCRYPTION=(TYPE='GCS_SSE_KMS' KMS_KEY_ID = '1234abcd-12ab-34cd-56ef-1234567890ab')
      )
    );
Copy

Step 2: Retrieve the GCS service account for your Snowflake account

To retrieve the ID for the GCS service account that was created automatically for your Snowflake account, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.

For example:

DESC EXTERNAL VOLUME exvol;
Copy

Record the value of the STORAGE_GCP_SERVICE_ACCOUNT property in the output (for example, service-account-id@project1-123456.iam.gserviceaccount.com).

Snowflake provisions a single GCS service account for your entire Snowflake account. All GCS external volumes use that service account.

Step 3: Grant the service account permissions to access bucket objects

In this step, you configure IAM access permissions for Snowflake in your Google Cloud Platform Console.

Create a custom IAM role

Create a custom role that has the permissions required to access the bucket and get objects.

  1. Log in to the Google Cloud Platform Console as a project editor.

  2. From the home dashboard, select IAM & admin » Roles.

  3. Select Create Role.

  4. Enter a name and description for the custom role.

  5. Select Add Permissions.

  6. Filter the list of permissions, and add the following from the list:

    • storage.buckets.get

    • storage.objects.create

    • storage.objects.delete

    • storage.objects.get

    • storage.objects.list

  7. Select Create.

Assign the custom role to the GCS service account

  1. Log in to the Google Cloud Platform Console as a project editor.

  2. From the home dashboard, select Storage » Browser:

    Bucket List in Google Cloud Platform Console

  3. Select a bucket to configure for access.

  4. Select SHOW INFO PANEL in the upper-right corner. The information panel for the bucket appears.

  5. In the Add members field, search for the service account name from the output in Step 2: Retrieve the GCS service account for your Snowflake account.

    Bucket Information Panel in Google Cloud Platform Console

  6. From the Select a role dropdown, select Storage » Custom » <role>. The <role> is the custom GCS role that you created in Create a custom IAM role.

  7. Select Add. The service account name is added to the Storage Object Viewer role dropdown in the information panel.

    Storage Object Viewer role list in Google Cloud Platform Console

Note

To verify that your permissions are configured correctly, create an Iceberg table using this external volume. Snowflake doesn’t verify that your permissions are set correctly until you create an Iceberg table that references this external volume.

Grant the GCS service account permissions on the Google Cloud Key Management Service keys

Note

This step is required only if your GCS bucket is encrypted using a key stored in the Google Cloud Key Management Service (Cloud KMS).

  1. Log in to the Google Cloud Platform Console as a project editor.

  2. From the home dashboard, select Security » Cryptographic keys.

  3. Select the key ring that is assigned to your GCS bucket.

  4. In the upper-right corner, select SHOW INFO PANEL. The information panel for the key ring appears.

  5. In the Add members field, search for the service account name from the DESCRIBE EXTERNAL VOLUME output in Step 2: Retrieve the GCS service account for your Snowflake account.

  6. From the Select a role dropdown, select the Cloud KMS CryptoKey Encrypter/Decrypter role.

  7. Select Add. The service account name is added to the Cloud KMS CryptoKey Encrypter/Decrypter role dropdown in the information panel.

Next steps

After you configure an external volume, you can create an Iceberg table.

Language: English