Configure an external volume for Azure¶

Grant Snowflake restricted access to your own Microsoft Azure container using an external volume. Snowflake supports the following Azure cloud storage services for external volumes:

Blob storage
Data Lake Storage Gen2
General-purpose v1
General-purpose v2
Microsoft Fabric OneLake

Prerequisites¶

Before you configure an external volume, you need the following:

An Azure storage container in the same region that hosts your Snowflake account.
- To use the external volume for externally managed Iceberg tables, all of your table data and metadata files must be located in the container.
- To support data recovery, enable versioning for your external cloud storage location.
Permissions in Azure to create and manage IAM policies and roles. If you aren’t an Azure administrator, ask your Azure administrator to perform these tasks.

If you use an Azure storage firewall to block unauthorized traffic to your storage account, follow the instructions in Allowing the VNet subnet IDs to explicitly grant Snowflake access to your Azure storage account.

Step 1: Create an external volume in Snowflake¶

Create an external volume using the CREATE EXTERNAL VOLUME command.

Note

Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.

The following example creates an external volume that defines an Azure storage location with encryption:

CREATE EXTERNAL VOLUME exvol
  STORAGE_LOCATIONS =
    (
      (
        NAME = 'my-azure-northeurope'
        STORAGE_PROVIDER = 'AZURE'
        STORAGE_BASE_URL = 'azure://exampleacct.blob.core.windows.net/my_container_northeurope/'
        AZURE_TENANT_ID = 'a123b4c5-1234-123a-a12b-1a23b45678c9'
      )
    );

Copy

Note

Use the azure:// prefix and not https:// when specifying a value for STORAGE_BASE_URL.
For information about specifying a OneLake location (preview feature), see the CREATE EXTERNAL VOLUME reference page.
If you use a regional endpoint for a Microsoft Fabric OneLake storage location, use the same region as your Microsoft Fabric capacity. This must also be the same region that hosts your Snowflake account.

Step 2: Grant Snowflake access to the storage location¶

To retrieve a URL to the Microsoft permissions request page, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.

DESC EXTERNAL VOLUME exvol;

Copy

Record the values for the following properties:

Property	Description
`AZURE_CONSENT_URL`	URL to the Microsoft permissions request page.
`AZURE_MULTI_TENANT_APP_NAME`	Name of the Snowflake client application created for your account. In a later step in this section, you grant this application permission to obtain an access token on your allowed storage location.

You use these values in the following steps.

In a web browser, navigate to the Microsoft permissions request page (the AZURE_CONSENT_URL).
Select Accept. This action allows the Azure service principal created for your Snowflake account to obtain an access token on a specified resource inside your tenant. Obtaining an access token succeeds only if you grant the service principal the appropriate permissions on the storage account level (see the next step).

The Microsoft permissions request page redirects to the Snowflake corporate site (snowflake.com).
Log in to the Microsoft Azure portal.
Go to Azure Services » Storage Accounts. Select the name of the storage account that the Snowflake service principal needs to access.

Note

You must set IAM permissions for an external volume at the storage account level, not the container level.
Select Access Control (IAM) » Add role assignment.
Select the Storage Blob Data Contributor role to grant read and write access to the Snowflake service principal.

Note

The Storage Blob Data Contributor role grants write access to the external volume location. To completely configure write access, set the ALLOW_WRITES parameter of the external volume to TRUE (the default value).
Search for the Snowflake service principal. This is the identity in the AZURE_MULTI_TENANT_APP_NAME property in the DESC EXTERNAL VOLUME output (in Step 1). Search for the string before the underscore in the AZURE_MULTI_TENANT_APP_NAME property.
Important
- It can take an hour or longer for Azure to create the Snowflake service principal requested through the Microsoft request page in this section. If the service principal is not available immediately, wait an hour or two and then search again.
- If you delete the service principal, the external volume stops working.
Select Review + assign.

Note

It can take up to 10 minutes for changes to take effect when you assign a role. For more information, see Symptom - Role assignment changes are not being detected in the Microsoft Azure documentation.

Step 3: Verify storage access¶

To check that Snowflake can successfully authenticate to your storage provider, call the SYSTEM$VERIFY_EXTERNAL_VOLUME function.

SELECT SYSTEM$VERIFY_EXTERNAL_VOLUME('my_s3_external_volume');

Copy

Next steps¶

After you configure an external volume, you can create an Iceberg table.

To create a read-only Iceberg table that uses an external catalog, see Configure a catalog integration.
To create an Iceberg table with full Snowflake platform support, see Create a Snowflake-managed table.