Configure an external volume for Google Cloud Storage¶
Grant Snowflake restricted access to a Google Cloud Storage (GCS) bucket using an external volume.
Prerequisites¶
Before you configure an external volume, you need the following:
A Google Cloud Storage bucket in the same region that hosts your Snowflake account.
To use the external volume for externally managed Iceberg tables, all of your table data and metadata files must be located in the bucket.
To support data recovery, enable versioning for your external cloud storage location.
Permissions in Google Cloud to create and manage IAM policies and roles. If you aren’t a Google Cloud administrator, ask your Google Cloud administrator to perform these tasks.
Step 1: Create an external volume in Snowflake¶
Create an external volume using the CREATE EXTERNAL VOLUME command.
Note
Only account administrators (users with the ACCOUNTADMIN role) can execute this SQL command.
The following example creates an external volume that defines a single GCS storage location with encryption:
CREATE EXTERNAL VOLUME my_gcs_external_volume
STORAGE_LOCATIONS =
(
(
NAME = 'my-us-west-2'
STORAGE_PROVIDER = 'GCS'
STORAGE_BASE_URL = 'gcs://mybucket1/path1/'
ENCRYPTION=(TYPE='GCS_SSE_KMS' KMS_KEY_ID = '1234abcd-12ab-34cd-56ef-1234567890ab')
)
);
Step 2: Retrieve the GCS service account for your Snowflake account¶
To retrieve the ID for the GCS service account that was created automatically for your Snowflake account, use the DESCRIBE EXTERNAL VOLUME command. Specify the name of the external volume that you created previously.
For example:
DESC EXTERNAL VOLUME my_gcs_external_volume;
Record the value of the STORAGE_GCP_SERVICE_ACCOUNT property in the output
(for example, service-account-id@project1-123456.iam.gserviceaccount.com).
Snowflake provisions a single GCS service account for your entire Snowflake account. All GCS external volumes use that service account.
Step 3: Grant the service account permissions to access bucket objects¶
In this step, you configure IAM access permissions for Snowflake in your Google Cloud Platform Console.
Create a custom IAM role¶
Create a custom role that has the permissions required to access the bucket and get objects.
Log in to the Google Cloud Platform Console as a project editor.
From the home dashboard, select IAM & Admin » Roles.
Select Create Role.
Enter a Title and optional Description for the custom role.
Select Add Permissions.
In Filter, select Service and then select storage.
Filter the list of permissions, and add the following from the list:
storage.buckets.getstorage.objects.createstorage.objects.deletestorage.objects.getstorage.objects.list
Select Add.
Select Create.
Assign the custom role to the GCS service account¶
Log in to the Google Cloud Platform Console as a project editor.
From the home dashboard, select Cloud Storage » Buckets.
Filter the list of buckets, and select the bucket that you specified when you created an external volume.
Select Permissions » View by principals, then select Grant access.
Under Add principals, paste the name of the service account name from the output in Step 2: Retrieve the GCS service account for your Snowflake account.
Under Assign roles, select the custom IAM role that you created previously, then select Save.
Grant the GCS service account permissions on the Google Cloud Key Management Service keys¶
Note
This step is required only if your GCS bucket is encrypted using a key stored in the Google Cloud Key Management Service (Cloud KMS).
Log in to the Google Cloud Platform Console as a project editor.
From the home dashboard, search for and select Security » Key Management.
Select the key ring that is assigned to your GCS bucket.
In the upper-right corner, select SHOW INFO PANEL. The information panel for the key ring appears.
In the Add members field, search for the service account name from the DESCRIBE EXTERNAL VOLUME output in Step 2: Retrieve the GCS service account for your Snowflake account.
From the Select a role dropdown, select the Cloud KMS CryptoKey Encrypter/Decrypter role.
Select Add. The service account name is added to the Cloud KMS CryptoKey Encrypter/Decrypter role dropdown in the information panel.
Step 4: Verify storage access¶
To check that Snowflake can successfully authenticate to your storage provider, call the SYSTEM$VERIFY_EXTERNAL_VOLUME function.
SELECT SYSTEM$VERIFY_EXTERNAL_VOLUME('my_s3_external_volume');
Next steps¶
After you configure an external volume, you can create an Iceberg table.
To create a read-only Iceberg table that uses an external catalog, see Configure a catalog integration.
To create an Iceberg table with full Snowflake platform support, see Create a Snowflake-managed table.