CREATE SECURITY INTEGRATION (AWS IAM Authentication)¶
Creates a new security integration for external authentication using Amazon Web Services (AWS) Identity and Access Management (IAM).
For information about creating other types of security integrations (e.g. External OAuth), see CREATE SECURITY INTEGRATION.
- See also:
ALTER SECURITY INTEGRATION (AWS IAM Authentication) , DESCRIBE INTEGRATION , DROP INTEGRATION , SHOW INTEGRATIONS
Syntax¶
CREATE SECURITY INTEGRATION <name>
TYPE = API_AUTHENTICATION
AUTH_TYPE = AWS_IAM
AWS_ROLE_ARN = '<iam_role_arn>'
ENABLED = { TRUE | FALSE }
[ COMMENT = '<string_literal>' ]
Required parameters¶
nameSpecifies the identifier (i.e. name) for the integration. This value must be unique in your account.
For more details, see Identifier requirements.
TYPE = API_AUTHENTICATIONSpecifies that the security integration is an interface between Snowflake and one or more AWS services that use OAuth 2.0 or AWS IAM credentials.
AUTH_TYPE = AWS_IAMSpecifies that the integration uses AWS IAM to authenticate to authenticate to one or more AWS services.
AWS_ROLE_ARN = 'iam_role_arn'Specifies the Amazon Resource Name (ARN) of the AWS identity and access management (IAM) role that grants privileges for AWS resources.
ENABLED = { TRUE | FALSE }Specifies whether this security integration is enabled or disabled.
TRUEAllows the integration to run based on the parameters specified in the integration definition.
FALSESuspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work
Optional parameters¶
COMMENT = 'string_literal'Specifies a comment for the integration.
Default: No value
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
|---|---|---|
CREATE INTEGRATION |
Account |
Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Examples¶
Create a security integration to connect Snowflake to AWS as the role named in AWS as arn:aws:iam::001234567890:role/myrole.
CREATE SECURITY INTEGRATION aws_iam TYPE = API_AUTHENTICATION AUTH_TYPE = AWS_IAM AWS_ROLE_ARN = 'arn:aws:iam::001234567890:role/myrole' ENABLED = true;