Creating a Cross Account IAM Role with trust entity pointing to external account.
Cross Account IAM Role enables a client from an AWS account to access the resources of another AWS account temporarily using the Binary Snaps that support reading from/writing into S3 buckets. This helps organizations or different teams in an organization to access each other's AWS account without compromising security by sharing AWS credentials.
You can briefly allow access to your AWS account and specify the access duration. You must create a role and policy in your AWS account. The policy created by the host is attached to the access seeker's account. This cross account IAM role enables SnapLogic to trigger the necessary APIs.
The Summary page displays the Amazon Resource Name number. Make a note of this ARN, as you will need it when completing the AWS IAM Role account settings.
In this step, you will create the Snowflake’s account ID and external ID on the Snowflake side to establish the trust entity. You can either create a Storage Integration or an External Stage depending on your need.
You would require a ACCOUNTADMIN role to create a Storage Integration in Snowflake. |
2. Replace the <Role ARN>
and <S3 Path>
with the corresponding value and list out the details of the created Storage Integration using 'DESC'.
Copy the value of STORAGE_AWS_IAM_USER_ARN as the Snowflake Account ARN, and copy the STORAGE_AWS_EXTERNAL_ID as the external ID.
2. Replace the <Role ARN>
and <S3 Path>
with the corresponding value and list out the details of the created External Storage using 'DESC'.
Copy the value of SNOWFLAKE_IAM_USER as the Snowflake Account ARN and AWS_EXTERNAL_ID as the External ID.
Steps:
In the editor, replace the value of ‘AWS' with the ARN of the Snowflake Account, and the 'sts:ExternalID
’ with the external ID we got from the last step.
After updating, we will see the trust entity changed accordingly.
The policy is created and can be assigned to the cross-account IAM role.
You can configure the cross account IAM Role through the Snowflake S3 Database Account or Snowflake S3 Dynamic Account settings. Enter the credentials related to the IAM role. Give inputs to S3 Bucket, S3 Folder, S3 Access-key ID, and S3 Secret Key fields respectively.
Once these settings are implied, the Snap would use the Integration as credential to do an unload or bulk load, and ignore the storage credentials in the Account. |