AWS PrivateLink Setup for Snowflake Connection
  • 2 Minutes to read
  • Dark
    Light
  • PDF

AWS PrivateLink Setup for Snowflake Connection

  • Dark
    Light
  • PDF

Article summary

PrivateLink is exclusively available to users on the Enterprise plan

Introduction

This document provides a step-by-step guide on configuring AWS PrivateLink for Snowflake when using Rivery. The setup involves creating a PrivateLink service, obtaining necessary information for configuration, and ensuring a secure connection.
This guide assumes that the user wishes to create PrivateLink in Snowflake and utilize Rivery's Federated Zone.

Please note that the process may differ for users using a Custom File Zone, and you should refer to the Snowflake documentation for guidance.

Prerequisite

  • A Snowflake account.

To establish Snowflake PrivateLink, please contact our Support team by submitting a Support Ticket to make your request. Upon reaching out, a support representative will provide you with a federated token, which remains valid for a duration of 12 hours.
The token's structure will be similar to the following:

{
    "Credentials": {
        "AccessKeyId": "******",
        "SecretAccessKey": "******",
        "SessionToken": "******",
        "Expiration": "2023-12-06T01:03:10Z"
    },
    "FederatedUser": {
        "FederatedUserId": "******:<your name>",
        "Arn": "arn:aws:sts::******:federated-user/<your name>"
    },
    "PackedPolicySize": 0
}

Step 2: Generating Federated Token for Snowflake

To validate the federated token for Snowflake's PrivateLink authentication, run the following command:

use role accountadmin;

select SYSTEM$AUTHORIZE_PRIVATELINK ('<aws_id>', '<federated_token>');

Replace <aws_id> with the Rivery AWS account ID and <federated_token> with the token provided by the support representative.

Once you have validated the federated token in Snowflake, execute the following command to obtain the PrivateLink configuration:

select system$get_privatelink_config();

The output will be in JSON format and include information such as:

{
    "privatelink-account-name": "******.region.privatelink",
    "privatelink-vpce-id": "com.amazonaws.vice.region.vice-svc-*************",
    "privatelink-account-URL": "******.region.privatelink.snowflakecomputing.com",
    "regionless-privatelink-account-URL": "**********.privatelink.snowflakecomputing.com",
    "privatelink_ocsp-URL": "**********.region.privatelink.snowflakecomputing.com",
    "privatelink-connection-urls": "[]"
}

Step 4: Configuring VPC Endpoint and VPC Network

Please forward the output to our Support team for the purpose of creating and configuring a VPC endpoint and VPC network.

Step 5: Snowflake Connection Form in Rivery

Upon receiving a response from our Support team, proceed to set up the Snowflake connection in Rivery using the regionless-privatelink-account-url format.
Omit the inclusion of snowflakecomputing.com; this will serve as your designated account name.

Ensure the format adheres to the following structure:

account-name.privatelink

Follow these steps:

  1. Provide your Username and Password.
  2. Specify your Warehouse name (mandatory).
  3. Specify your Role name (optional).
    Please Note:
    Leaving it blank will result in the use of the account's default role. In such cases, the default Role must have access to the selected Warehouse, or the connection will fail.
  4. Enter your Account Name.
  5. Use the Test Connection function to see if your connection is up to the task. If the connection succeeded, you can now use this connection in Rivery.

image.png


Was this article helpful?