Configure an external volume for Amazon S3¶

This topic covers how to grant Snowflake restricted access to your Amazon S3 bucket using an external volume for Iceberg tables.

An administrator in your organization grants the IAM user permissions in your Amazon Web Services (AWS) account.

Note

Snowflake cannot support external volumes with bucket names that contain dots (for example, my.s3.bucket). Snowflake uses virtual-hosted-style paths and HTTPS to access data in S3. However, S3 does not support SSL for virtual-hosted-style buckets with dots in the name.
To complete the instructions in this topic, you must have permissions in AWS to create and manage IAM policies and roles. If you are not an AWS administrator, ask your AWS administrator to perform these tasks.
To support data recovery, enable versioning for your external cloud storage location.

Step 1: Create an IAM policy that grants access to your S3 location¶

To configure access permissions for Snowflake in the AWS Management Console, do the following:

Log in to the AWS Management Console.
From the home dashboard, search for and select IAM.
From the left-hand navigation pane, select Account settings.
Under Security Token Service (STS) in the Endpoints list, find the Snowflake region where your account is located. If the STS status is inactive, move the toggle to Active.
From the left-hand navigation pane, select Policies.
Select Create Policy.
For Policy editor, select JSON.

Add a policy to provide Snowflake with the required permissions to read and write data to your S3 location. The following example policy grants access to all locations in the specified bucket.

Note

Replace bucket with your actual bucket name. You can also specify a path in the bucket; for example, bucket/path.
Setting the "s3:prefix": condition to ["*"] grants access to all prefixes in the specified bucket; setting it to ["path/*"] grants access to a specified path in the bucket.
For buckets in government regions, the bucket ARNs use the arn:aws-us-gov:s3::: prefix.

{
   "Version": "2012-10-17",
   "Statement": [
         {
            "Effect": "Allow",
            "Action": [
               "s3:PutObject",
               "s3:GetObject",
               "s3:GetObjectVersion",
               "s3:DeleteObject",
               "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::<bucket>/*"
         },
         {
            "Effect": "Allow",
            "Action": [
               "s3:ListBucket",
               "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
               "StringLike": {
                     "s3:prefix": [
                        "*"
                     ]
               }
            }
         }
   ]
}

Copy

Select Next.
Enter a Policy name (for example, snowflake_access) and an optional Description.
Select Create policy.

Step 2: Create an IAM role¶

Create an AWS IAM role to grant privileges on the S3 bucket containing your data files.

From the left-hand navigation pane in the Identity and Access Management (IAM) Dashboard, select Roles.
Select Create role.
For the trusted entity type, select AWS account.
Under An AWS account, select This account. In a later step, you modify the trusted relationship and grant access to Snowflake.
Select the Require external ID option. Enter an external ID of your choice. For example, iceberg-table-external-id.

An external ID is used to grant access to your AWS resources (such as S3 buckets) to a third party like Snowflake.
Select Next.
Select the policy that you created in Step 1, which grants access to your S3 location, then select Next.
Enter a Role name and description for the role, then select Create role.

You have now created an IAM policy for an S3 location, created an IAM role, and attached the policy to the role.
On the role summary page, locate and record the ARN (Amazon Resource Name) value for the role.

Step 3: Grant privileges required for SSE-KMS encryption to the IAM role (optional)¶

If you want to upload an object encrypted with an AWS KMS key to Amazon S3, the IAM role that you created in Step 2 needs kms:GenerateDataKey permissions on the key. If you want to download an object encrypted with an AWS KMS key, the IAM role needs kms:Decrypt permissions on the key.

If you want to use a KMS key for your server-side encryption, follow these steps to create a key and reference it.

In the AWS Management Console, go to the Key Management Service (KMS). From the left navigation, select Customer managed keys, and then select Create key. You must create a key in the same region as your bucket.
Create a Symmetric key type. For the key usage, select Encrypt and decrypt. Select Next.
For Alias, enter a name for the key and select Next.
If needed, select an administrator for the key and select Next.
For Define key usage permissions, select your IAM role, then select Next.
Review the key configuration details, then select Finish to create the key.
Find the key in the list of customer managed keys, select it, and record its ARN. The following is an example of an ARN for a key: arn:aws:kms:us-west-2:111111122222:key/1a1a11aa-aa1a-aaa1a-a1a1-000000000000.

When you create your external volume, set the KMS_KEY_ID value to the ARN of your key.

Step 4: Create an external volume in Snowflake¶

Create an external volume using the CREATE EXTERNAL VOLUME command.

The following example creates an external volume that defines a single Amazon S3 storage location with encryption. The command specifies the external ID (iceberg-table-external-id) associated with the IAM role created in Step 2. Specifying an external ID lets you use the same IAM role (and external ID) across multiple external volumes.

CREATE OR REPLACE EXTERNAL VOLUME exvol
   STORAGE_LOCATIONS =
      (
         (
            NAME = 'my-s3-us-west-2'
            STORAGE_PROVIDER = 'S3'
            STORAGE_BASE_URL = 's3://MY_EXAMPLE_BUCKET/'
            STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/myrole'
            STORAGE_AWS_EXTERNAL_ID = 'iceberg-table-external-id'
            ENCRYPTION=(TYPE='AWS_SSE_KMS' KMS_KEY_ID='arn:aws:kms:us-west-2:111111122222:key/1a1a11aa-aa1a-aaa1a-a1a1-000000000000')
         )
      );

Copy

Note

Specify your IAM role ARN exactly as provided by AWS. ARNs are case-sensitive.

Step 5: Retrieve the AWS IAM user for your Snowflake account¶

Retrieve the ARN for the AWS IAM user that was created automatically for your Snowflake account using the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created in Step 4.

For example:
```
DESC EXTERNAL VOLUME exvol;
```
Copy
Record the value for the STORAGE_AWS_IAM_USER_ARN property, which is the AWS IAM user created for your Snowflake account; for example, arn:aws:iam::123456789001:user/abc1-b-self1234.

Snowflake provisions a single IAM user for your entire Snowflake account. All S3 external volumes in your account use that IAM user.

Note

If you didn’t specify an external ID (STORAGE_AWS_EXTERNAL_ID) when you created an external volume, Snowflake generates an ID for you to use. Record the value so that you can update your IAM role trust policy with the generated external ID.

Step 6: Grant the IAM user permissions to access bucket objects¶

In this step, you configure permissions that allow the IAM user for your Snowflake account to access objects in your S3 bucket.

Log in to the AWS Management Console.
From the home dashboard, search for and select IAM.
From the left-hand navigation pane, select Roles.
Select the IAM role that you created in Step 2.
Select the Trust relationships tab.
Select Edit trust policy.
Modify the policy document with the DESC EXTERNAL VOLUME output values that you recorded.

Where:
- snowflake_user_arn is the STORAGE_AWS_IAM_USER_ARN value you recorded.
- snowflake_external_id is your external ID. If you already specified an external ID when you created the role, and used the same ID to create your external volume, leave the value as-is. Otherwise, update sts:ExternalId with the value that you recorded.
Policy document for IAM role
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<snowflake_user_arn>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<snowflake_external_id>"
        }
      }
    }
  ]
}
```
Copy
Note

You must update this policy document if you create a new external volume (or recreate an existing external volume using the CREATE OR REPLACE EXTERNAL VOLUME syntax) and don’t provide your own external ID. For security reasons, a new or recreated external volume has a different external ID and cannot resolve the trust relationship unless you update this trust policy.
Select Update policy to save your changes.

Note

To verify that your permissions are configured correctly, create an Iceberg table using this external volume. Snowflake doesn’t verify that your permissions are set correctly until you create an Iceberg table that references this external volume.

Next steps¶

After you configure an external volume, you can create an Iceberg table.

To create a read-only Iceberg table that uses an external catalog, see Configure a catalog integration for Iceberg tables.
To create an Iceberg table with full Snowflake platform support, see Create an Iceberg table with Snowflake as the catalog.

Minimum AWS access control requirements¶

To access files in your S3 bucket, Snowflake requires the following permissions to perform actions on your S3 location:

s3:DeleteObject
s3:DeleteObjectVersion
s3:GetBucketLocation
s3:GetObject
s3:GetObjectVersion
s3:ListBucket
s3:PutObject

Note

The s3:PutObject permission grants write access to the external volume location. To completely configure write access, set the ALLOW_WRITES parameter of the external volume to TRUE (the default value).

As a best practice, Snowflake recommends that you create a designated IAM policy that grants Snowflake access to your S3 location. You can then attach the policy to a role, and use the security credentials generated by AWS for that role to access the files.