Categories:

System functions (System Control)

SYSTEM$REGISTER_PRIVATELINK_ENDPOINT

Registers a private connectivity endpoint to route your connection to the Snowflake service.

Syntax

AWS

SYSTEM$REGISTER_PRIVATELINK_ENDPOINT(
  '<aws_private_endpoint_vpce_id>',
  '<aws_account_id>',
  '<token>',
  [ <delay_time> ]
  )

Azure

SYSTEM$REGISTER_PRIVATELINK_ENDPOINT(
  '<azure_private_endpoint_link_id>',
  '<azure_private_endpoint_resource_id>',
  '<token>',
  [ <delay_time> ]
  )

Required arguments

AWS

aws_private_endpoint_vpce_id

Specifies the identifier for your Amazon Web Services (AWS) virtual private cloud endpoint (AWS VPCEID).

To obtain the AWS VPCEID value, navigate through the AWS console or use the following command:

aws ec2 describe-vpc-endpoints
aws_account_id

The 12-digit identifier that uniquely identifies your Amazon Web Services (AWS) account, as a string.

To obtain the AWS account ID value, navigate through the AWS console or use the following command:

aws sts get-caller-identity

Azure

azure_private_endpoint_link_id

Specifies the identifier for your Microsoft Azure (Azure) virtual private cloud endpoint link (Azure LinkID).

To obtain the Azure LinkID value:

Run the SYSTEM$GET_PRIVATELINK_AUTHORIZED_ENDPOINTS system function.

azure_private_endpoint_resource_id

The identifier that uniquely identifies your Snowflake account in Microsoft Azure (Azure) as a string.

To obtain the Azure private endpoint resource Id, use the following command:

az network private-endpoint list --resource-group my_resource_group
token

Specifies an access token to verify ownership of the private connectivity endpoint.

To obtain the token, you must have the corresponding read or describe privilege on the private connectivity endpoint at a minimum. For more information, see:

To obtain the token, use the following commands:

  • For Snowflake on AWS:

    aws sts get-federation-token --name snowflake --policy '{ "Version": "2012-10-17", "Statement"
: [ { "Effect": "Allow", "Action": ["ec2:DescribeVpcEndpoints"], "Resource": ["*"] } ] }'

  • For Snowflake on Azure:

    az account get-access-token --subscription <subscription_id>

For more information about limiting the scope of an access token, see:

Optional arguments

delay_time

Specifies the number of minutes to wait before enforcing the private endpoint registration.

Range: 0 to 1440 minutes (24 hours)

0 minutes: The registration is enforced immediately.

Default: 60 (1 hour)

For more information about the delay time and enforcement, see Manage enforcement with the delay time argument.

Returns

Returns a status message about the registration of the private connectivity endpoint.

If you specify a delay time, the function returns a message stating when the registration will be enforced, with a reminder that when you pin multiple accounts to the same private endpoint the enforcement is based on the earliest registration.

Usage notes

  • Only account administrators (users with the ACCOUNTADMIN role) can call this function.
  • You can register multiple private connectivity endpoints for your Snowflake account.

Examples

Call the SYSTEM$REGISTER_PRIVATELINK_ENDPOINT system function to register the VPC endpoint with your Snowflake account. The token arguments contain truncated values and the delay time unit is minutes:

AWS

SELECT SYSTEM$REGISTER_PRIVATELINK_ENDPOINT(
  'vpce-0c1...',
  '123.....',
  '{
    "Credentials": {
      "AccessKeyId": "ASI...",
      "SecretAccessKey": "alD...",
      "SessionToken": "IQo...",
      "Expiration": "2024-12-10T08:20:20+00:00"
    },
    "FederatedUser": {
      "FederatedUserId": "0123...:snowflake",
      "Arn": "arn:aws:sts::174...:federated-user/snowflake"
    },
    "PackedPolicySize": 9,
    }',
  120
  );

Azure

SELECT SYSTEM$REGISTER_PRIVATELINK_ENDPOINT(
  '123....',
  '/subscriptions/0cc51670-.../resourceGroups/dbsec_test_rg/providers/Microsoft.Network/
  privateEndpoints/...',
  'eyJ...',
  120
);