Configuring an Azure Container for Loading Data

For Snowflake to read from/to an Azure container, you must generate a shared access signature (SAS) token for your storage access account.

This topic describes how to perform the required tasks in Azure.


Completing the instructions in this topic requires administrative access to Azure. If you are not an Azure administrator, ask your Azure administrator to perform these tasks.

In this Topic:

Generating an SAS Token

The following step-by-step instructions describe how to generate an SAS token to grant Snowflake limited access to objects in your storage account:

  1. Log into the Azure portal.

  2. From the home dashboard, choose Storage Accounts » <storage_account> » Settings » Shared access signature.

    Shared access signature in Azure portal
  3. Select the following Allowed resource types:

    • Container (required to list objects in the storage account)

    • Object (required to read/write objects from/to the storage account)

  4. Select the following allowed permissions to load data files from Azure resources:

    • Read

    • List

    The additional Write, Add, and Create permissions are also required if you plan to unload files to a container.

  5. Specify start and expiry dates/times for the SAS token. As part of a general security plan, you could generate a different SAS token periodically.

  6. Leave the Allowed IP addresses field blank, and specify either HTTPS only or HTTPS and HTTP under Allowed protocols.

  7. Click the Generate SAS button. Record the full value in the SAS token field, starting with and including the ?. This is your SAS token. You will specify this token when you create an external stage using CREATE STAGE.

Data File Encryption

Enable Azure Storage Service Encryption (SSE) for Data at Rest on your storage account directly, and Snowflake will handle it correctly. For more information, see the Azure documentation on SSE.

In addition, Snowflake supports client-side encryption to decrypt files staged in Azure containers.

  • Client-side encryption:

    • AZURE_CSE: Requires a MASTER_KEY value.


      Block blobs and append blobs support client-side encryption but page blobs do not.

Next: Creating an Azure Stage