amazon-web-servicessnowflake-cloud-data-platformsnowflake-schemaidentity-management

Snowflake: AWS IAM Role for notification integration


I am trying to create multiple notification integrations in Snowflake. As per my knowledge, I will have to create a new role per notification integration as a different SF_AWS_EXTERNAL_ID is generated for each notification.

Is my understanding correct or do we have a way to utilize one role for all integrations?


Solution

  • you should be able to list the snowflake external id in the policy like below, I have storage and notification integration using same policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "${snowflake_storage_integration.integration.storage_aws_iam_user_arn}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": [
                        "${snowflake_storage_integration.integration.storage_aws_external_id}",
                        "${snowflake_notification_integration.integration.aws_sns_external_id}"
                    ]
                }
            }
        }
    ]
    

    See the aws doc https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.html