Connect Snowflake as a data source in Amazon DataZone
Amazon DataZone supports Snowflake as a third-party data source. After you connect Snowflake to a Amazon DataZone project, the catalog can index your Snowflake databases and schemas, capture column-level lineage from Snowflake's query history, and let you query Snowflake tables from through federation. This page walks you through creating a Snowflake connection using the AWS CLI.
Prerequisites
Before you begin, confirm the following are in place:
-
A Amazon DataZone domain and a project where you want the Snowflake data to be cataloged. See Domains and user access in Amazon DataZone and Amazon DataZone projects and environments.
-
A Snowflake account, with permission to create roles and grant privileges in the database, schema, and warehouse you want to catalog.
-
Access to AWS Secrets Manager in the same AWS account as your Amazon DataZone domain.
-
An Amazon S3 bucket for query spill, if you plan to query Snowflake data from .
You will perform the steps in this order: create a Snowflake role, store Snowflake
credentials in AWS Secrets Manager, find your Amazon DataZone project environment ID, then call
aws datazone create-connection.
Step 1: Create a Snowflake role for Amazon DataZone
Amazon DataZone connects to Snowflake using a role you create and grant specific privileges to. The role grants fall into four categories:
-
Metadata sync — Amazon DataZone reads the structure of your tables and views to populate the catalog.
-
Lineage sync — Amazon DataZone reads Snowflake's QUERY_HISTORY and ACCESS_HISTORY to derive column-level lineage.
-
Query access — required for queries issued through Amazon DataZone, including from .
-
Warehouse usage — required for any query the role executes.
Run the following statements in Snowflake, replacing the placeholders with your values:
CREATE ROLE <role_name>; -- Metadata: database and schema access GRANT USAGE ON DATABASE <database_name> TO ROLE <role_name>; GRANT USAGE ON SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; -- Metadata: table and view structure (no data access) GRANT REFERENCES ON ALL TABLES IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; GRANT REFERENCES ON ALL VIEWS IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; GRANT REFERENCES ON FUTURE TABLES IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; GRANT REFERENCES ON FUTURE VIEWS IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; -- Lineage: access to QUERY_HISTORY and ACCESS_HISTORY GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE <role_name>; -- Query access GRANT SELECT ON ALL TABLES IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; -- Optional: include tables created after the role is granted GRANT SELECT ON FUTURE TABLES IN SCHEMA <database_name>.<schema_name> TO ROLE <role_name>; -- Warehouse access GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE <role_name>; -- Assign the role to the Snowflake user whose credentials DataZone will use GRANT ROLE <role_name> TO USER <snowflake_username>;
Important
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE is required for
lineage. Without it, the metadata sync succeeds but no lineage records are
captured.
Step 2: Store Snowflake credentials in AWS Secrets Manager
Create a secret in AWS Secrets Manager, in the same AWS account as your Amazon DataZone domain. Amazon DataZone supports two authentication methods: username and password, or key-pair.
For username and password authentication, use this JSON body:
{ "username": "<snowflake_username>", "password": "<snowflake_password>" }
For key-pair authentication, use this JSON body:
{ "sfUser": "<snowflake_username>", "pem_private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----" }
Tag the secret so that Amazon DataZone can discover it. Both tags are required:
| Tag key | Value |
|---|---|
AmazonDataZoneDomain |
Your Amazon DataZone domain ID |
AmazonDataZoneProject |
Your Amazon DataZone project ID |
Note the ARN of the secret. You will pass it to
create-connection in Step 4.
Step 3: Find your project environment ID
The create-connection API call requires the ID of the project
environment where the connection lives. You can derive this from the project user role
ARN.
The project user role ARN follows this pattern:
arn:aws:iam::<account_id>:role/datazone_usr_role_<project_id>_<environment_id>
The final segment, after the last underscore, is the environment ID. For example, in:
arn:aws:iam::123456789012:role/datazone_usr_role_a1b2c3dfadsf_58cjkfdsjfd
58cjkfdsjfd is the environment ID. This is the value to pass as
--environment-identifier in Step 4. The environment ID corresponds to
your project's Tooling environment.
Step 4: Create the Snowflake connection
Run the following AWS CLI command, replacing the placeholders with your values:
aws datazone create-connection \ --domain-identifier <domain_id> \ --environment-identifier <environment_id> \ --name "<connection_name>" \ --description "<optional_description>" \ --props '{ "snowflakeProperties": { "connectivityProperties": { "connectionProperties": { "HOST": "<account>.snowflakecomputing.com", "PORT": "443", "DATABASE": "<database_name>", "WAREHOUSE": "<warehouse_name>", "SCHEMA": "<schema_name>", "ROLE_ARN": "<project_user_role_arn>", "CATALOG_CASING_FILTER": "UPPERCASE_ONLY" }, "athenaProperties": { "spill_bucket": "<project_s3_bucket_name>", "spill_prefix": "<domain_id>/<project_id>/dev/sys/athena" }, "authenticationConfiguration": { "authenticationType": "BASIC", "secretArn": "<secret_arn_from_step_2>" } }, "snowflakeRole": "<role_name_from_step_1>", "identityMapping": { "usernameAttribute": "EMAIL" } } }'
Connection properties reference
| Property | Description |
|---|---|
HOST |
Your Snowflake account URL. |
PORT |
The Snowflake port. Use 443. |
DATABASE |
The Snowflake database to catalog. |
WAREHOUSE |
The Snowflake warehouse Amazon DataZone uses to run queries. |
SCHEMA |
The Snowflake schema to catalog. |
ROLE_ARN |
The project user role ARN (see Step 3). |
CATALOG_CASING_FILTER |
Controls case normalization for cataloged identifiers. Valid
values are UPPERCASE_ONLY and
LOWERCASE_ONLY. If omitted, defaults to
UPPERCASE_ONLY. |
spill_bucket |
S3 bucket name for query spill. Required when querying Snowflake from . |
spill_prefix |
S3 prefix for spill, in the format
<domain_id>/<project_id>/dev/sys/athena. |
authenticationType |
BASIC for username/password or key-pair
authentication. |
secretArn |
The ARN of the secret created in Step 2. |
snowflakeRole |
The Snowflake role name from Step 1. |
identityMapping.usernameAttribute |
Set to EMAIL. |
Verifying the connection
Call aws datazone get-connection with your domain ID and the connection
identifier returned by create-connection. After the first metadata sync
run, cataloged Snowflake tables appear in the Amazon DataZone catalog for the
project.