Configure a catalog integration for AWS Glue Iceberg REST

Follow the steps in this topic to create a catalog integration for the AWS Glue Iceberg REST endpoint with Signature Version 4 (SigV4) authentication.

Step 1: Configure access permissions for the AWS Glue Data Catalog

Create an IAM policy for Snowflake to access the AWS Glue Data Catalog. Attach the policy to an IAM role, which you specify when you create a catalog integration. For instructions, see Creating IAM policies and Modifying a role permissions policy in the AWS Identity and Access Management User Guide.

At a minimum, Snowflake requires the following permissions on the AWS Glue Data Catalog to access information using the Glue Iceberg REST catalog.

  • glue:GetCatalog

  • glue:GetDatabase

  • glue:GetDatabases

  • glue:GetTable

  • glue:GetTables

The following example policy (in JSON format) provides the required permissions to access all of the tables in a specified database.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AllowGlueCatalogTableAccess",
         "Effect": "Allow",
         "Action": [
           "glue:GetCatalog",
           "glue:GetDatabase",
           "glue:GetDatabases",
           "glue:GetTable",
           "glue:GetTables"
         ],
         "Resource": [
            "arn:aws:glue:*:<accountid>:table/*/*",
            "arn:aws:glue:*:<accountid>:catalog",
            "arn:aws:glue:*:<accountid>:database/<database-name>"
         ]
      }
   ]
}
Copy

Note

  • You can modify the Resource element of this policy to further restrict the allowed resources (for example, catalog, databases, or tables). For more information, see Resource types defined by AWS Glue.

  • If you use encryption for AWS Glue, you must modify the policy to add AWS Key Management Service (AWS KMS) permissions. For more information, see Setting up encryption in AWS Glue.

Step 2: Create a catalog integration in Snowflake

Create a catalog integration for the AWS Glue Iceberg REST endpoint using the CREATE CATALOG INTEGRATION (Apache Iceberg™ REST) command. Specify the IAM role that you configured. For CATALOG_NAME, use your AWS account ID.

CREATE CATALOG INTEGRATION glue_rest_catalog_int
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'rest_catalog_integration'
  REST_CONFIG = (
    CATALOG_URI = 'https://glue.us-west-2.amazonaws.com/iceberg'
    CATALOG_API_TYPE = AWS_GLUE
    CATALOG_NAME = '123456789012'
  )
  REST_AUTHENTICATION = (
    TYPE = SIGV4
    SIGV4_IAM_ROLE = 'arn:aws:iam::123456789012:role/my-role'
    SIGV4_SIGNING_REGION = 'us-west-2'
  )
  ENABLED = TRUE;
Copy

Where:

  • CATALOG_URI is the service endpoint for the AWS Glue Iceberg REST catalog.

  • CATALOG_NAME is the ID of your AWS account.

For more information, see CREATE CATALOG INTEGRATION (Apache Iceberg™ REST), which includes instructions for configuring a catalog integration for AWS Glue.