Snowflake Data Clean Room: Accessing external data from Azure Blob Storage

Data analyzed in a Snowflake Data Clean Room can be native to Snowflake, reside externally in cloud provider storage, or both. Connectors allows collaborators to access external data from a cloud provider from within the clean room.

Snowflake uses the following strategies to make external data available in a clean room:

  • If a collaborator has a Snowflake account, the data from external cloud storage is materialized in the Snowflake account as soon as the connector is authenticated.

  • If a collaborator is not a Snowflake customer and is using a managed account to join a clean room, the connector uses Snowflake external tables to make data available. Only the metadata associated with an external table is stored in Snowflake.

This topic describes how to use a connector so clean room analysts can access external data from Azure Blob Storage.

Connect to Azure Blob Storage

Allowing clean room collaborators to access data from Azure Blob Storage consists of the following steps:

  1. In Azure, obtain the identifiers of the blob storage.

  2. In the clean room environment, create the connector.

  3. Use the clean room environment to initiate the process of granting permissions to the connector, then complete the process in Microsoft.

  4. In the clean room environment, authenticate the connector with Azure.

The following sections discuss these steps in more detail.

Obtain identifiers associated with blob storage

The clean room connector needs the tenant ID associated with Azure Blob Storage and the URL that uniquely identifies the blob storage that the clean room needs to access. Before creating the connector, you must obtain both of these identifiers from Azure.

Note

Microsoft changed the name of Azure Active Directory to Microsoft Entra ID.

To obtain the tenant ID that establishes a trust relationship between Azure Blob Storage and Microsoft Entra ID:

  1. Sign in to the Microsoft Azure portal.

  2. From the home dashboard, select Microsoft Entra ID » Properties.

  3. Find the Tenant ID field and select the copy icon. You will use this identifier when you create the connector.

To obtain the URL that uniquely identifies the blob storage:

  1. Sign in to the Microsoft Azure portal.

  2. From the home dashboard, select Storage Accounts.

  3. Navigate the storage account until you see the blob storage folder in the list.

  4. Find the blob storage folder in the list, and select more menu » Copy URL. You will use this identifier when you create the connector.

Create the connector and copy the service principal identifier

You are now ready to create the connector in the clean room environment. Once you have created the connector, you will need to copy the identifier of the Azure service principal that is associated with the clean room environment.

To create the connector in your clean room environment:

  1. Navigate to the sign in page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account you want to use.

  5. In the left navigation, select Connectors, then expand the Microsoft Azure section.

  6. In the Tenant ID field, enter the tenant ID that you copied in the previous step.

  7. In the Path URL field, enter the URL of the blob storage that you copied in the previous step.

  8. Select Create.

  9. Use the copy icon to copy the identifier of the Azure service principal that is now associated with the clean room environment, and save it for the next task. Azure uses service principals to grant access to applications.

Grant permissions to the connector

Clean rooms need permission to access external data in Azure Blob Storage. The process of granting these permissions begins in the clean room environment and ends in Microsoft.

To grant permissions to the connector:

  1. In the clean room environment, select Connectors and expand the Microsoft Azure section. If you are signed out of the clean room, see Sign in to the web app.

  2. Select Consent URL. A Microsoft dialog appears.

  3. In the Microsoft dialog, ensure that Consent on behalf of your organization is selected, then select Accept.

    Microsoft grants the Azure service principal associated with the clean room environment an access token to the blob storage inside of your tenant.

  4. In a new browser window, sign in to the Microsoft Azure portal.

  5. From the home dashboard, select Storage Accounts.

  6. Select the storage account that contains the blob storage.

  7. Select Access Control (IAM).

  8. Select Add role assignment.

  9. Select Storage Blob Data Reader to grant read-only access to a Azure service principal, then select Next.

  10. On the Members tab, select + Select members.

  11. Search for the service principal associated with the clean room environment. You copied its identifier in a previous step.

    Tip

    Microsoft can take over an hour to create the service principal for the clean room environment. If you cannot find the service principal in the list, wait 1-2 hours, then try to complete this step again.

  12. Select Review + assign.

Authenticate the connector

You are now ready to authenticate the connector to make sure it can access Azure Blob Storage. To authenticate the connector:

  1. In the clean room environment, select Connectors and expand the Microsoft Azure section. If you are signed out of the clean room, see Sign in to the web app.

  2. Select the blob storage you are connecting to, and select Authenticate.

Remove access to external data on AWS

To remove access to Azure Blob Storage from a clean room environment:

  1. Navigate to the sign in page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account you want to use.

  5. In the left navigation, select Connectors and expand the Microsoft Azure section.

  6. Find the blob storage that is currently connected, and select the trash can icon.