Configuring AWS Private Link for Snowflake connection

info

Private Link is available to users on the Pro Plus plan.

You can configure AWS Private Link for Snowflake when using Data Integration. The setup involves creating a Private Link service, obtaining configuration information, and ensuring a secure connection.

Consider that you want to create a Private Link in Snowflake and use Data Integration Federated Zone.

note

The process may differ for users using a "Custom File Zone". To learn more, refer to the Snowflake documentation.

Prerequisite

A Snowflake account

Procedure

Step 1: Requesting Snowflake Private Link

To establish Snowflake Private Link, contact the Support team by submitting a Support Ticket. After reaching out, a support representative provides you with a federated token, which is valid for 12 hours.

{
    "Credentials": {
        "AccessKeyId": "******",
        "SecretAccessKey": "******",
        "SessionToken": "******",
        "Expiration": "2023-12-06T01:03:10Z"
 },
    "FederatedUser": {
        "FederatedUserId": "******:<your name>",
        "Arn": "arn:aws:sts::******:federated-user/<your name>"
 },
    "PackedPolicySize": 0
}

Step 2: Generating federated token for Snowflake

• To validate the federated token for Snowflake's Private Link authentication, run the following command:

use role accountadmin;

select SYSTEM$AUTHORIZE_PRIVATELINK ('`<aws_id>`', '`<federated_token>`');

• Replace <aws_id> with the Data Integration AWS account ID and <federated_token> with the token provided by the support representative.

Step 3: Retrieving Private Link configuration

After validating the federated token in Snowflake, execute the command to receive the Private Link configuration:

select system$get_privatelink_config();

The output is in JSON format and includes information such as:

{
    "privatelink-account-name": "******.region.privatelink",
    "privatelink-vpce-id": "com.amazonaws.vice.region.vice-svc-*************",
    "privatelink-account-URL": "******.region.privatelink.snowflakecomputing.com",
    "regionless-privatelink-account-URL": "**********.privatelink.snowflakecomputing.com",
    "privatelink_ocsp-URL": "**********.region.privatelink.snowflakecomputing.com",
    "privatelink-connection-urls": "[]"
}

Step 4: Configuring VPC endpoint and VPC network

Forward the output to the Support team to create and configure a VPC endpoint and VPC network.

Step 5: Snowflake connection form in Data Integration

After receiving a response from the Support team, proceed to set up the Snowflake connection in Data Integration using the regionless-privatelink-account-url format. Exclude snowflakecomputing.com; this serves as your designated account name.

Ensure the format adheres to the following structure:

account-name.privatelink

Procedure

1. Provide your Username and Password.
2. Specify your Warehouse name (mandatory).
3. Specify your Role name (optional).

note

Leaving it blank results in the use of the account's default role. In such cases, the default Role must have access to the selected Warehouse, or the connection fails.

4. Enter your Account Name.
5. Use the Test Connection to view if your connection is up to the task. If the connection succeeded, you can now use this connection in Data Integration.