Configure an external volume for Azure¶
Grant Snowflake restricted access to your own Microsoft Azure container using an external volume. Snowflake supports the following Azure cloud storage services for external volumes:
Blob storage
Data Lake Storage Gen2
General-purpose v1
General-purpose v2
Microsoft Fabric OneLake
Note
To harden your security posture, you can configure an external volume to use private connectivity rather than the public Internet for network traffic. For more information, see Private connectivity to external volumes for Microsoft Azure.
Prerequisites¶
Before you configure an external volume, you need the following:
An Azure storage container in the same region that hosts your Snowflake account.
To use the external volume for externally managed Iceberg tables, all of your table data and metadata files must be located in the container.
To support data recovery, enable versioning for your external cloud storage location.
Permissions in Azure to create and manage IAM policies and roles. If you aren’t an Azure administrator, ask your Azure administrator to perform these tasks.
If you use an Azure storage firewall to block unauthorized traffic to your storage account, follow the instructions in Allowing the VNet subnet IDs to explicitly grant Snowflake access to your Azure storage account.
Step 1: Create an external volume in Snowflake¶
Create an external volume using the CREATE EXTERNAL VOLUME command.
Note
Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.
The following example creates an external volume that defines an Azure storage location with encryption:
CREATE EXTERNAL VOLUME exvol
STORAGE_LOCATIONS =
(
(
NAME = 'my-azure-northeurope'
STORAGE_PROVIDER = 'AZURE'
STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/'
AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
)
);
Note
Use the
azure://
prefix and nothttps://
when specifying a value for STORAGE_BASE_URL.For information about specifying a OneLake location (preview feature), see the CREATE EXTERNAL VOLUME reference page.
If you use a regional endpoint for a Microsoft Fabric OneLake storage location, use the same region as your Microsoft Fabric capacity. This must also be the same region that hosts your Snowflake account.
Step 2: Grant Snowflake access to the storage location¶
To retrieve a URL to the Microsoft permissions request page, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.
DESC EXTERNAL VOLUME exvol;
Record the values for the following properties:
Property
Description
AZURE_CONSENT_URL
URL to the Microsoft permissions request page.
AZURE_MULTI_TENANT_APP_NAME
Name of the Snowflake client application created for your account. In a later step in this section, you grant this application permission to obtain an access token on your allowed storage location.
You use these values in the following steps.
In a web browser, navigate to the Microsoft permissions request page (the
AZURE_CONSENT_URL
).Select Accept. This action allows the Azure service principal created for your Snowflake account to obtain an access token on a specified resource inside your tenant. Obtaining an access token succeeds only if you grant the service principal the appropriate permissions on the storage account level (see the next step).
The Microsoft permissions request page redirects to the Snowflake corporate site (snowflake.com).
Log in to the Microsoft Azure portal.
Go to Azure Services » Storage Accounts. Select the name of the storage account that the Snowflake service principal needs to access.
Note
You must set IAM permissions for an external volume at the storage account level, not the container level.
Select Access Control (IAM) » Add role assignment.
Select the
Storage Blob Data Contributor
role to grant read and write access to the Snowflake service principal.Note
The
Storage Blob Data Contributor
role grants write access to the external volume location. To completely configure write access, set theALLOW_WRITES
parameter of the external volume toTRUE
(the default value).Search for the Snowflake service principal. This is the identity in the AZURE_MULTI_TENANT_APP_NAME property in the DESC EXTERNAL VOLUME output (in Step 1). Search for the string before the underscore in the AZURE_MULTI_TENANT_APP_NAME property.
Important
It can take an hour or longer for Azure to create the Snowflake service principal requested through the Microsoft request page in this section. If the service principal is not available immediately, wait an hour or two and then search again.
If you delete the service principal, the external volume stops working.
Select Review + assign.
Note
It can take up to 10 minutes for changes to take effect when you assign a role. For more information, see Symptom - Role assignment changes are not being detected in the Microsoft Azure documentation.
Step 3: Verify storage access¶
To check that Snowflake can successfully authenticate to your storage provider, call the SYSTEM$VERIFY_EXTERNAL_VOLUME function.
SELECT SYSTEM$VERIFY_EXTERNAL_VOLUME('my_s3_external_volume');
Next steps¶
After you configure an external volume, you can create an Iceberg table.
To create a read-only Iceberg table that uses an external catalog, see Configure a catalog integration.
To create an Iceberg table with full Snowflake platform support, see Create a Snowflake-managed table.