Snowflake Data Clean Room: Accessing external data from Google Cloud Platform

Data analyzed in a Snowflake Data Clean Room can be native to Snowflake, reside externally in cloud provider storage, or both. Connectors allows collaborators to access external data from a cloud provider from within the clean room.

Snowflake uses the following strategies to make external data available in a clean room:

  • If a collaborator has a Snowflake account, the data from external cloud storage is materialized in the Snowflake account as soon as the connector is authenticated.

  • If a collaborator is not a Snowflake customer and is using a managed account to join a clean room, the connector uses Snowflake external tables to make data available. Only the metadata associated with an external table is stored in Snowflake.

This topic describes how to use a connector so clean room analysts can access external data from a Google Cloud Platform bucket.

Connect to a Google Cloud Platform bucket

Allowing clean room collaborators to access data from Google Cloud Platform (GCP) storage consists of the following steps:

  1. In GCP, obtain the URL of the GCP bucket.

  2. In the clean room environment, create the connector.

  3. In GCP, grant permissions to the connector.

  4. In the clean room environment, authenticate the connector with GCP.

The following sections discuss these steps in more detail.

Obtain the URL of the GCP bucket

The clean room connector needs the URL of the GCP storage bucket in order to access the data. Before creating the connector, you must:

  1. Sign in to Google Cloud Platform Console as a project editor.

  2. From the Console dashboard, select Cloud Storage » Browser.

  3. Select the bucket that contains the data you want to access from the clean room, and navigate to the location of that data.

  4. Select the copy icon to copy the URL of the storage bucket and save it for the next task.

Create the connector and copy the service account identifier

You are now ready to create the connector in the clean room environment. Once you have created the connector, you need to copy details about its service account so it can be associated with the bucket in GCP. To create the connector in your clean room environment:

  1. Navigate to the sign in page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account you want to use.

  5. In the left navigation, select Connectors, then expand the Google Cloud section.

  6. In the Storage bucket URL field, enter the URL that you copied from GCP. Be sure to include gcs:// in the URL.

  7. Select Create. The clean room generates a service account that it uses to access GCP.

  8. Use the Copy icon to copy the identifier of the service account, and save it for the next task.

Grant permissions to the connector

Clean rooms need permission to access external data in the GCP bucket. Granting these permissions consists of creating a dedicated GCP role for the connector’s service account, then adding the service account as a principal of the GCP bucket.

To create the dedicated GCP role for the connector’s service account:

  1. Sign in to the Google Cloud Platform Console as a project editor.

  2. From the Console dashboard, select IAM & admin » Roles.

  3. Select Create Role.

  4. Enter a name and description for the role.

  5. Select Add Permissions, then add the following permissions:

  • storage.buckets.get

  • storage.objects.list

  • storage.objects.get

Now that you have created a dedicated role, you are ready to associate the connector’s service account as a principal of the GCP bucket. To associate the service account:

  1. Sign in to Google Cloud Platform Console as a project editor.

  2. From the Console dashboard, select Cloud Storage » Browser.

  3. Select the bucket that contains the external data.

  4. Select Show Info Panel. The information panel slides open.

    Show the info panel of a Google Cloud Platform bucket
  5. Select Add Principals.

  6. In the New Principals text box, paste the service account identifier that you copied from the clean room.

  7. From the Select a role drop-down list, select the dedicated role you created for the service account.

Authenticate the connector

You are now ready to authenticate the connector to make sure it can access the GCP bucket. To authenticate the connector:

  1. In the left navigation of the clean room, select Connectors and expand the Google Cloud section. If you are signed out of the clean room, see Sign in to the web app.

  2. Select the GCP bucket you are connecting to, and select Authenticate.

Remove access to external data on GCP

To remove access to a GCP bucket from a clean room environment:

  1. Navigate to the sign in page.

  2. Enter your email address, and select Continue.

  3. Enter your password.

  4. If you are associated with multiple clean room environments, select the Snowflake account you want to use.

  5. In the left navigation, select Connectors, then expand the Google Cloud section.

  6. Find the GCP bucket that is currently connected, and select the trash can icon.