Configuring an Azure Container for Loading Data¶
For Snowflake to read from/to an Azure container, you must generate a shared access signature (SAS) token for your storage access account.
This topic describes how to perform the required tasks in Azure.
Completing the instructions in this topic requires administrative access to Azure. If you are not an Azure administrator, ask your Azure administrator to perform these tasks.
A Microsoft Azure administrator in your organization can limit access to your Azure storage account (i.e. your containers and the objects in those containers) to Snowflake. This security restriction grants access to your storage account to traffic from your Snowflake virtual network (VNet) subnet while blocking requests that originate from outside the VNet subnet. The process involves whitelisting the Snowflake VNet subnet IDs for your account.
This security feature currently requires that your storage account is located in the same Azure region as your Snowflake account.
To whitelist the Snowflake VNet subnet IDs:
Contact Snowflake Support to obtain a pair of Snowflake VNet subnet IDs for the Azure region in which your account is deployed: one each for Snowflake services and virtual warehouses.
Log into the Azure CLI.
Execute the following command to whitelist each of the provided Snowflake VNet subnet IDs to access your storage account:
$ az storage account network-rule add --account-name <account_name> --resource-group myRG --subnet "<snowflake_vnet_subnet_id>"
account_nameis the name of your Snowflake account.
snowflake_vnet_subnet_idis one of the VNet subnet IDs provided by Snowflake Support.
$ az storage account network-rule add --account-name myaccount --resource-group myRG --subnet "/subscriptions/abcd1234-0123-456e-78f9-1a2bcde3ef4g5/resourceGroups/otherRG/providers/Microsoft.Network/virtualNetworks/otherVNET/subnets/default"
The Azure client may return an error similar to the following:
Unable retrieve endpoint status for one or more subnets. Status 'insufficent permissions' indicates lack of subnet read permissions ('Microsoft.Network/virtualNetworks/subnets/read').
The error indicates that your Azure storage account may not initiate connections to Snowflake because those permissions are not granted. You can ignore this error. It will not block the whitelist feature.
For additional options for managing your virtual network rules, including using PowerShell or the Azure portal, see the Azure documentation.
For additional help regarding this configuration process or any of the other Azure configuration steps, please contact the Azure administrator for your organization.
In this Topic:
Generating an SAS Token¶
The following step-by-step instructions describe how to generate an SAS token to grant Snowflake limited access to objects in your storage account:
Log into the Azure portal.
From the home dashboard, choose Storage Accounts » <storage_account> » Settings » Shared access signature.
Select the following Allowed resource types:
Container(required to list objects in the storage account)
Object(required to read/write objects from/to the storage account)
Select the following allowed permissions to load data files from Azure resources:
Createpermissions are also required if you plan to unload files to a container.
Specify start and expiry dates/times for the SAS token. As part of a general security plan, you could generate a different SAS token periodically.
Leave the Allowed IP addresses field blank, and specify either HTTPS only or HTTPS and HTTP under Allowed protocols.
Click the Generate SAS button. Record the full value in the SAS token field, starting with and including the
?. This is your SAS token. You will specify this token when you create an external stage using CREATE STAGE.
Data File Encryption¶
Enable Azure Storage Service Encryption (SSE) for Data at Rest on your storage account directly, and Snowflake will handle it correctly. For more information, see the Azure documentation on SSE.
In addition, Snowflake supports client-side encryption to decrypt files staged in Azure containers.
AZURE_CSE: Requires a MASTER_KEY value.
Block blobs and append blobs support client-side encryption but page blobs do not.
Next: Creating an Azure Stage