Overview

This task describes how to configure cross-account IAM role support for Snowflake Snaps. This enables SnapLogic to securely access resources in a different AWS account without sharing AWS credentials, using the Identity and Access Management (IAM) capabilities of AWS and Snowflake.

Prerequisites

Key Steps

1. Create a cross account IAM Role and policy in AWS account
2. Create storage integration or external stage
3. Associate IAM policy with the role

Create a cross account IAM Role and policy in AWS account

Cross Account IAM Role enables a client from an AWS account to access the resources of another AWS account temporarily using the Binary Snaps that support reading from/writing into S3 buckets. This helps organizations or different teams in an organization to access each other's AWS account without compromising security by sharing AWS credentials.

You can briefly allow access to your AWS account and specify the access duration. You must create a role and policy in your AWS account. The policy created by the host is attached to the access seeker's account. This cross account IAM role enables SnapLogic to trigger the necessary APIs.

1. Log in to the AWS Management Console and go to IAM > Roles.
   
   
   
   
2. Click Create role and select Another AWS Account. This is where you specify the account ID for the other account, that will access your account.

   
   

   

   
   

3. Enter the account number of the access seeker in the Account ID field, which is available in the Support Center. Optionally, add an additional security layer to authenticate for each login by checking Options checkbox, next to Require external ID.

   
   

   

   
   

4. Click Next: Permissions The Attach permission policies screen displays, where you can set the permissions. Select the check box next to the applicable policy for this role.

   
   

   

   
   

5. Click Next: Tags to add tags (optional), then click Next: Review.
6. Review the information displayed and add a name for the role and click Create role. The Summary page displays the Amazon Resource Name number. Make a note of this ARN, as you will need it when completing the AWS IAM Role account settings.

   
   

   

   
   

Create storage integration or external stage

In this step, you will create the Snowflake’s account ID and external ID on the Snowflake side to establish the trust entity. You can either create a Storage Integration or an External Stage depending on your need.

1. Create a external named stage through the SQL query.
   
   
   
   
2. Replace the <Role ARN> and <S3 Path> with the corresponding value and list out the details of the created Storage Integration using 'DESC'.
   
   
   
   
3. Copy the value of STORAGE_AWS_IAM_USER_ARN as the Snowflake Account ARN, and copy the STORAGE_AWS_EXTERNAL_ID as the external ID.

Associate IAM policy with the role

1. In the Summary screen, under Trust Entity tab and click Edit trust relationship.
   
   
   
   
2. In the editor, replace the value of ‘AWS' with the ARN of the Snowflake Account, and the 'sts:ExternalID’ with the external ID we got from the last step.
   
   
   
   

After updating, we will see the trust entity changed accordingly. The policy is created and can be assigned to the cross-account IAM role.

Account settings for access through SnapLogic

You can configure the cross account IAM Role through the Snowflake S3 Database Account or Snowflake S3 Dynamic Account settings.

1. Enter the required fields: S3 Bucket, S3 Folder, S3 Access-key ID, and S3 Secret Key.
2. Select Staged files under the Data Source field.
   
   
   
   
3. Under the Staging Location field, select External. This enables the Storage Integration input field.
   
   
   
   
4. Repeat the staging configuration for the Snowflake Unload Snap.

Once these settings are implied, the Snap would use the Integration as credential to do an unload or bulk load, and ignore the storage credentials in the Account.