Configure an external volume for Azure

Grant Snowflake restricted access to your own Microsoft Azure container using an external volume. Snowflake supports the following Azure cloud storage services for external volumes:

  • Blob storage

  • Data Lake Storage Gen2

  • General-purpose v1

  • General-purpose v2

  • Microsoft Fabric OneLake

Note

To harden your security posture, you can configure an external volume to use private connectivity rather than the public Internet for network traffic. For more information, see Private connectivity to external volumes for Microsoft Azure.

Prerequisites

Before you configure an external volume, you need the following:

  • An Azure storage container in the same region that hosts your Snowflake account.

  • Permissions in Azure to create and manage IAM policies and roles. If you aren’t an Azure administrator, ask your Azure administrator to perform these tasks.

If you use an Azure storage firewall to block unauthorized traffic to your storage account, follow the instructions in Allowing the VNet subnet IDs to explicitly grant Snowflake access to your Azure storage account.

Step 1: Create an external volume in Snowflake

Create an external volume using the CREATE EXTERNAL VOLUME command.

Note

Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.

The following example creates an external volume that defines an Azure storage location with encryption:

CREATE EXTERNAL VOLUME exvol
  STORAGE_LOCATIONS =
    (
      (
        NAME = 'my-azure-northeurope'
        STORAGE_PROVIDER = 'AZURE'
        STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/'
        AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
      )
    );
Copy

Note

  • Use the azure:// prefix and not https:// when specifying a value for STORAGE_BASE_URL.

  • For information about specifying a OneLake location (preview feature), see the CREATE EXTERNAL VOLUME reference page.

  • If you use a regional endpoint for a Microsoft Fabric OneLake storage location, use the same region as your Microsoft Fabric capacity. This must also be the same region that hosts your Snowflake account.

Step 2: Grant Snowflake access to the storage location

  1. To retrieve a URL to the Microsoft permissions request page, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.

    DESC EXTERNAL VOLUME exvol;
    
    Copy

    Record the values for the following properties:

    Property

    Description

    AZURE_CONSENT_URL

    URL to the Microsoft permissions request page.

    AZURE_MULTI_TENANT_APP_NAME

    Name of the Snowflake client application created for your account. In a later step in this section, you grant this application permission to obtain an access token on your allowed storage location.

    You use these values in the following steps.

  2. In a web browser, navigate to the Microsoft permissions request page (the AZURE_CONSENT_URL).

  3. Select Accept. This action allows the Azure service principal created for your Snowflake account to obtain an access token on a specified resource inside your tenant. Obtaining an access token succeeds only if you grant the service principal the appropriate permissions on the storage account level (see the next step).

    The Microsoft permissions request page redirects to the Snowflake corporate site (snowflake.com).

  4. Log in to the Microsoft Azure portal.

  5. Go to Azure Services » Storage Accounts. Select the name of the storage account that the Snowflake service principal needs to access.

    Note

    You must set IAM permissions for an external volume at the storage account level, not the container level.

  6. Select Access Control (IAM) » Add role assignment.

  7. Select the Storage Blob Data Contributor role to grant read and write access to the Snowflake service principal.

    Note

    The Storage Blob Data Contributor role grants write access to the external volume location. To completely configure write access, set the ALLOW_WRITES parameter of the external volume to TRUE (the default value).

  8. Search for the Snowflake service principal. This is the identity in the AZURE_MULTI_TENANT_APP_NAME property in the DESC EXTERNAL VOLUME output (in Step 1). Search for the string before the underscore in the AZURE_MULTI_TENANT_APP_NAME property.

    Important

    • It can take an hour or longer for Azure to create the Snowflake service principal requested through the Microsoft request page in this section. If the service principal is not available immediately, wait an hour or two and then search again.

    • If you delete the service principal, the external volume stops working.

    Add role assignment in Azure Storage Console
  9. Select Review + assign.

    Note

    It can take up to 10 minutes for changes to take effect when you assign a role. For more information, see Symptom - Role assignment changes are not being detected in the Microsoft Azure documentation.

Step 3: Verify storage access

To check that Snowflake can successfully authenticate to your storage provider, call the SYSTEM$VERIFY_EXTERNAL_VOLUME function.

SELECT SYSTEM$VERIFY_EXTERNAL_VOLUME('my_s3_external_volume');
Copy

Next steps

After you configure an external volume, you can create an Iceberg table.