Setup guide

Wiring up cloud storage destinations.

SnowExporter writes files to AWS S3, GCP GCS, and Azure Blob Storage via Snowflake's own storage integration mechanism. This page is your orientation — what the pattern looks like, what changes per cloud, and exactly which official docs to read for the details that matter.

The pattern (same across all three clouds)

For each external destination, you'll set up the same three things in roughly the same order:

  1. Bucket / container at the cloud provider. A place for the exported files to land. You own it; you control its lifecycle and access controls.
  2. Storage integration in Snowflake. A STORAGE INTEGRATION object that holds the trust relationship. The cloud provider trusts Snowflake — not SnowExporter — to write to your bucket on your behalf.
  3. Grant USAGE on the integration to the SnowExporter app. This is the only SnowExporter-specific step. The app uses the integration through standard Snowflake mechanisms; we never see your cloud credentials directly.

Why this is good for your security posture. SnowExporter never holds, stores, or sees your AWS / GCP / Azure credentials. The trust relationship lives between your cloud provider and Snowflake. SnowExporter only has USAGE on a named Snowflake integration object that you created. Revoke the grant any time to cut the app off; revoke the integration to cut Snowflake off entirely.

The in-app helper generates the exact SQL for you. In the app, Settings → 📤 Export destinations → + Add a destination → Show required setup SQL emits the full CREATE STORAGE INTEGRATION plus the GRANT USAGE statement filled in with your specific values. This page gives you the orientation; the in-app helper gives you the copy-pasteable SQL.

AWS S3

S3 bucket via IAM role trust policy.

For S3, the trust relationship is an IAM role in your AWS account that Snowflake's IAM principal is allowed to assume. The two sides have to learn each other's IDs — there's a deliberate back-and-forth.

Steps

  1. Create an S3 bucket in your AWS account where the exports will land.
  2. Create an IAM policy granting s3:PutObject, s3:GetObject, s3:GetObjectVersion, s3:DeleteObject, s3:DeleteObjectVersion, and s3:ListBucket on that bucket.
  3. Create an IAM role, attach the policy, and configure its trust relationship to allow another AWS account to assume it. You'll come back to fill in the exact account ID + external ID.
  4. Run CREATE STORAGE INTEGRATION in Snowflake (template below). Then DESC INTEGRATION <name> to retrieve the STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID.
  5. Update the IAM role's trust policy with those two values. (This is the back-and-forth.)
  6. GRANT USAGE ON INTEGRATION <name> TO APPLICATION SNOWEXPORTER;
  7. In the SnowExporter app, add the destination, paste the integration name, save.

SQL template

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE STORAGE INTEGRATION my_s3_integration
  TYPE = EXTERNAL_STAGE
  STORAGE_PROVIDER = 'S3'
  ENABLED = TRUE
  STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::<your_account>:role/<your_role>'
  STORAGE_ALLOWED_LOCATIONS = ('s3://<your_bucket>/<optional_prefix>/');

DESC INTEGRATION my_s3_integration;
-- Copy STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID
-- into your IAM role's trust policy at AWS.

GRANT USAGE ON INTEGRATION my_s3_integration TO APPLICATION SNOWEXPORTER;

Authoritative docs

Google Cloud Storage

GCS bucket via service-account binding.

For GCS, Snowflake creates the integration first and provides you a Google service account email that represents Snowflake to your bucket. You then grant that service account the appropriate IAM role on the bucket.

Steps

  1. Create a GCS bucket in your GCP project where the exports will land.
  2. Run CREATE STORAGE INTEGRATION in Snowflake (template below). Then DESC INTEGRATION <name> to retrieve the STORAGE_GCP_SERVICE_ACCOUNT email.
  3. In GCP, grant that service account the Storage Object Admin role (or a narrower custom role with object create / read / delete) on your bucket.
  4. GRANT USAGE ON INTEGRATION <name> TO APPLICATION SNOWEXPORTER;
  5. In the SnowExporter app, add the destination, paste the integration name, save.

SQL template

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE STORAGE INTEGRATION my_gcs_integration
  TYPE = EXTERNAL_STAGE
  STORAGE_PROVIDER = 'GCS'
  ENABLED = TRUE
  STORAGE_ALLOWED_LOCATIONS = ('gcs://<your_bucket>/<optional_prefix>/');

DESC INTEGRATION my_gcs_integration;
-- Copy STORAGE_GCP_SERVICE_ACCOUNT into your bucket's IAM
-- and grant it Storage Object Admin (or equivalent).

GRANT USAGE ON INTEGRATION my_gcs_integration TO APPLICATION SNOWEXPORTER;

Authoritative docs

Azure Blob Storage

Blob container via Azure AD consent.

For Azure, Snowflake uses an Azure AD service principal that needs to be consented in your tenant, then granted the Storage Blob Data Contributor role on the container.

Steps

  1. Create a storage account and a blob container where the exports will land.
  2. Run CREATE STORAGE INTEGRATION in Snowflake (template below), supplying your AZURE_TENANT_ID. Then DESC INTEGRATION <name> to get the AZURE_CONSENT_URL.
  3. Visit the consent URL while signed into Azure as a tenant admin to register the Snowflake service principal in your tenant.
  4. In Azure, grant that service principal the Storage Blob Data Contributor role on your storage account (or just the container).
  5. GRANT USAGE ON INTEGRATION <name> TO APPLICATION SNOWEXPORTER;
  6. In the SnowExporter app, add the destination, paste the integration name, save.

SQL template

USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE STORAGE INTEGRATION my_azure_integration
  TYPE = EXTERNAL_STAGE
  STORAGE_PROVIDER = 'AZURE'
  ENABLED = TRUE
  AZURE_TENANT_ID = '<your_azure_tenant_id>'
  STORAGE_ALLOWED_LOCATIONS = ('azure://<account>.blob.core.windows.net/<container>/<optional_prefix>/');

DESC INTEGRATION my_azure_integration;
-- Open AZURE_CONSENT_URL in a browser as an Azure AD admin.
-- Then in Azure, grant the registered service principal
-- "Storage Blob Data Contributor" on the container.

GRANT USAGE ON INTEGRATION my_azure_integration TO APPLICATION SNOWEXPORTER;

Authoritative docs

After setup — verify in the app

  1. In SnowExporter, go to Settings → 📤 Export destinations → + Add a destination and choose the cloud type.
  2. Paste the integration name (e.g. my_s3_integration) and the bucket / container path.
  3. Fill in the Description and Business Contact fields so your team knows what the destination is for and who owns it.
  4. Save, then run an ad-hoc export to that destination to verify everything is wired up. If the write fails, the audit log on the Logs page captures the actual error message from Snowflake.

Common failure mode: "role not allowed" / "access denied" on the first write. 95% of the time it's because USAGE wasn't granted on the integration to the SnowExporter application, or because the cloud-side trust / IAM binding is missing or pointing at the wrong principal. Re-run the DESC INTEGRATION and double-check both sides.

Stuck on a step?

Browse the support FAQs for common setup gotchas. If you still need help, the in-app Help button opens a support form with your Snowflake account identifier pre-filled.

Support & FAQs Back to product overview