Habilitação de notificações de erro para tarefas usado AWS SNS¶
Este tópico fornece instruções para configurar o suporte de notificação de erros para tarefas que utilizam Amazon Web Services Simple Notification Service (AWS SNS).
Habilitação de notificações de erro usando Amazon AWS SNS¶
Para habilitar as notificações de tarefa, siga as etapas nas próximas seções.
Step 1: Creating an Amazon SNS Topic¶
Create an SNS topic in your AWS account to handle all error messages. Record the Amazon Resource Name (ARN) for the SNS topic.
Nota
Only standard SNS topics are supported. Do not create SNS FIFO (first in, first out) topics for use with error notifications. Currently, error notifications sent to FIFO topics fail silently.
To reduce latency and avoid data egress charges for sending notifications across regions, we recommend creating the SNS topic in the same region as your Snowflake account.
For instructions, see the Creating an Amazon SNS topic in the SNS documentation.
Step 2: Creating the IAM Policy¶
Create an AWS Identity and Access Management (IAM) policy that grants permissions to publish to the SNS topic. The policy defines the following actions:
sns:publishPublish to the SNS topic.
Log into the AWS Management Console.
From the home dashboard, choose Identity & Access Management (IAM):
Choose Account settings from the left-hand navigation pane.
Expand the Security Token Service Regions list, find the AWS region corresponding to the region where your account is located, and choose Activate if the status is Inactive.
Choose Policies from the left-hand navigation pane.
Click Create Policy.
Click the JSON tab.
Add a policy document that defines actions that can be taken on your SNS topic.
Copy and paste the following text into the policy editor:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "<sns_topic_arn>" } ] }
Replace
sns_topic_arnwith the ARN of the SNS topic you created in Step 1: Creating an Amazon SNS Topic (in this topic).Click Review policy.
Enter the policy name (e.g.
snowflake_sns_topic) and an optional description. Click Create policy.
Step 3: Creating the AWS IAM Role¶
Create an AWS IAM role on which to assign privileges on the SNS topic.
Log into the AWS Management Console.
From the home dashboard, choose Identity & Access Management (IAM):
Choose Roles from the left-hand navigation pane.
Click the Create role button.
Select Another AWS account as the trusted entity type.
In the Account ID field, enter your own AWS account ID temporarily.
Select the Require external ID option. This option enables you to grant permissions on your Amazon account resources (i.e. SNS) to a third party (i.e. Snowflake).
For now, enter a dummy ID such as
0000. Later, you will modify the trust relationship and replace the dummy ID with the external ID for the Snowflake IAM user generated for your account. A condition in the trust policy for your IAM role allows your Snowflake users to assume the role using the notification integration object you will create later.Click the Next button.
Locate the policy you created in Step 2: Creating the IAM Policy (in this topic), and select this policy.
Click the Next button.
Enter a name and description for the role, and click the Create role button.
Record the Role ARN value located on the role summary page. You will specify this value in one or more later steps.
Step 4: Creating the Notification Integration¶
Create a notification integration using CREATE NOTIFICATION INTEGRATION. An integration is a Snowflake object that references the SNS topic you created.
A single notification integration can support multiple tasks and pipes.
Nota
Only account administrators (users with the ACCOUNTADMIN role) or a role with the global CREATE INTEGRATION privilege can execute this SQL command.
CREATE NOTIFICATION INTEGRATION <integration_name>
ENABLED = true
TYPE = QUEUE
NOTIFICATION_PROVIDER = AWS_SNS
DIRECTION = OUTBOUND
AWS_SNS_TOPIC_ARN = '<topic_arn>'
AWS_SNS_ROLE_ARN = '<iam_role_arn>'
Where:
<integration_name>Name of the new integration.
DIRECTION = OUTBOUNDDirection of the cloud messaging with respect to Snowflake. Required only when configuring error notifications.
<topic_arn>SNS topic ARN you recorded in Step 1: Creating an Amazon SNS Topic (in this topic).
<iam_role_arn>IAM role ARN you recorded in Step 3: Creating the AWS IAM Role (in this topic).
For example:
CREATE NOTIFICATION INTEGRATION my_notification_int
ENABLED = true
TYPE = QUEUE
NOTIFICATION_PROVIDER = AWS_SNS
DIRECTION = OUTBOUND
AWS_SNS_TOPIC_ARN = 'arn:aws:sns:us-east-2:111122223333:sns_topic'
AWS_SNS_ROLE_ARN = 'arn:aws:iam::111122223333:role/error_sns_role';
Step 5: Granting Snowflake Access to the SNS Topic¶
Retrieve the IAM User ARN and SNS Topic External ID¶
Execute DESCRIBE INTEGRATION:
DESC NOTIFICATION INTEGRATION <integration_name>;
Where:
integration_nameis the name of the notification integration you created in Step 4: Creating the Notification Integration (in this topic).
For example:
DESC NOTIFICATION INTEGRATION my_notification_int; +---------------------------+-------------------+------------------------------------------------------+----------------------+ | property | property_type | property_value | property_default | +---------------------------+-------------------+------------------------------------------------------+----------------------+ | ENABLED | Boolean | true | false | | NOTIFICATION_PROVIDER | String | AWS_SNS | | | DIRECTION | String | OUTBOUND | INBOUND | | AWS_SNS_TOPIC_ARN | String | arn:aws:sns:us-east-2:111122223333:myaccount | | | AWS_SNS_ROLE_ARN | String | arn:aws:iam::111122223333:role/myrole | | | SF_AWS_IAM_USER_ARN | String | arn:aws:iam::123456789001:user/c_myaccount | | | SF_AWS_EXTERNAL_ID | String | MYACCOUNT_SFCRole=2_a123456/s0aBCDEfGHIJklmNoPq= | | +---------------------------+-------------------+------------------------------------------------------+----------------------+
Record the following generated values:
- SF_AWS_IAM_USER_ARN:
ARN for the Snowflake IAM user created for your account. Users in your Snowflake account will assume the IAM role you created in Step 3: Creating the AWS IAM Role by submitting the external ID for this user using your notification integration.
- SF_AWS_EXTERNAL_ID:
External ID for the Snowflake IAM user created for your account.
In the next step, you will update the trust relationship for the IAM role with these values.
Note the DIRECTION property, which indicates the direction of the cloud messaging with respect to Snowflake.
Modify the Trust Relationship in the IAM Role¶
Log into the AWS Management Console.
From the home dashboard, choose Identity & Access Management (IAM):
Choose Roles from the left-hand navigation pane.
Click on the role you created in Step 3: Creating the AWS IAM Role (in this topic).
Click on the Trust relationships tab.
Click the Edit trust relationship button.
Modify the policy document with the DESC NOTIFICATION INTEGRATION output values you recorded in Retrieve the IAM User ARN and SNS Topic External ID (in this topic):
Policy document for IAM role
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "<sf_aws_iam_user_arn>" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<sf_aws_external_id>" } } } ] }
Where:
sf_aws_iam_user_arnis theSF_AWS_IAM_USER_ARNvalue you recorded.sf_aws_external_idis theSF_AWS_EXTERNAL_IDvalue you recorded.
Click the Update Trust Policy button. The changes are saved.
Step 6: Enabling error notifications in tasks¶
Você então ativa a notificação de erro, seja em uma tarefa autônoma ou raiz, definindo ERROR_INTEGRATION como nome da integração da notificação. Você pode definir a propriedade ao criar uma tarefa (usando CREATE TASK) ou mais tarde (usando ALTER TASK).
Para obter mais detalhes, consulte Configuração de uma tarefa para enviar notificações de erro.