Snowflake
Connect DataDrop to your Snowflake data warehouse.
Prerequisites
- A Snowflake account with a service user for DataDrop
- A compute warehouse sized appropriately for your exports
- Network access from DataDrop to your Snowflake account
- An S3 bucket and IAM role for file delivery
Connection Parameters
| Parameter | Required | Description |
|---|---|---|
| account | Required | Snowflake account identifier.e.g. xy12345.us-east-1 |
| user | Required | Username for authentication.e.g. svc_delivery |
| password | Optional | Password for the user. Either this or a Secret ARN is required. |
| password_secret | Optional | AWS Secrets Manager ARN storing the password. |
| warehouse | Required | Compute warehouse used for queries.e.g. COMPUTE_WH |
| database | Required | Snowflake database to connect to.e.g. PROD |
| schema | Optional | Default schema for queries.e.g. PUBLIC |
| storage_integration | Optional | Snowflake storage integration for direct S3 writes.e.g. S3_DELIVERY_INTEGRATION |
Authentication
You can provide credentials in two ways:
Direct password — Enter the password directly in the connection form. Simple but the password is stored encrypted in the database.
AWS Secrets Manager — Store the password in Secrets Manager and provide the ARN. DataDrop retrieves it at runtime. Recommended for production.
Storage Integration
A storage integration lets Snowflake write query results directly to S3 using COPY INTO, bypassing the worker entirely. This is significantly faster for large exports because no data flows through application memory.
The storage_integration field is optional. Without it, DataDrop streams results through the worker, which works fine for smaller datasets but is slower at scale.
Setting Up Storage Integration
Storage integration requires an AWS IAM role that Snowflake can assume via cross-account trust. Follow these steps to set it up.
Step 1 — Create the IAM role
Create an IAM role in your AWS account with permissions to read and write to your delivery S3 bucket. The role needs a trust policy that allows Snowflake's AWS account to assume it. If you use the DataDrop Terraform modules, run terraform apply to create the role automatically and note the snowflake_s3_role_arn output.
Step 2 — Create the integration in Snowflake
Connect to Snowflake as ACCOUNTADMIN and run:
CREATE OR REPLACE STORAGE INTEGRATION s3_delivery_integration
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = 'S3'
ENABLED = TRUE
STORAGE_AWS_ROLE_ARN = '<YOUR_ROLE_ARN>'
STORAGE_ALLOWED_LOCATIONS = ('s3://<YOUR_BUCKET>/');Step 3 — Get Snowflake's IAM user details
Run DESC INTEGRATION s3_delivery_integration; and record the STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID values from the output.
Step 4 — Update the IAM trust policy
Update the IAM role's trust policy with the Snowflake account ID (from the IAM user ARN) and external ID from Step 3. If using Terraform, set the snowflake_aws_account_id and snowflake_external_id variables and re-apply.
Step 5 — Grant usage to your service role
GRANT USAGE ON INTEGRATION s3_delivery_integration TO ROLE <YOUR_SERVICE_ROLE>;
Step 6 — Enter the integration name
In the DataDrop warehouse connection form, enter the integration name (e.g. s3_delivery_integration) in the storage_integration field. DataDrop will use it for all subsequent exports from this warehouse.
Required S3 Permissions
The IAM role assumed by Snowflake needs the following permissions on your delivery S3 bucket:
s3:PutObject,s3:GetObject,s3:DeleteObjectonbucket/*s3:ListBucket,s3:GetBucketLocationonbucket
If your bucket has versioning enabled, also add s3:GetObjectVersion and s3:DeleteObjectVersion.