Setting Up PrivateLink Between AWS and Snowflake

Alon ShresthaAlon Shrestha
4 min read

Table of contents

Recently, my organization decided to migrate to Snowflake. Since security is always a top priority, the first step we took was to create a PrivateLink connection between our AWS VPC and Snowflake.

Snowflake offers several built-in features that make it easy to integrate with AWS accounts, so setting up a PrivateLink is straightforward.

This page outlines the steps I followed to set up the PrivateLink.

Step 1: Create an AWS IAM User

To create a PrivateLink connection with Snowflake, you'll need an IAM user in the AWS account where the PrivateLink will be set up. This is required because Snowflake uses federated user credentials for the integration, which cannot be obtained through an IAM role or STS session — a dedicated IAM user is necessary.

If you already have an IAM user with required permission, you can use that. Otherwise, create a new IAM user and ensure it has at least the following permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:GetFederationToken",
            "Resource": "*"
        }
    ]
}

Step 2: Generate a Federation Token

Once you've created an IAM user with the necessary permissions, configure the user on your local machine using the AWS CLI.

Then generate a federation token running the following command:

# Replace 'svc-snowflake-federated' with your IAM user name
aws sts get-federation-token --name svc-snowflake-federated

This command returns credentials that Snowflake will use to establish the PrivateLink. The output will look like this:

{
    "Credentials": {
        "AccessKeyId": "ASIAVSTBMXXXXXXXXXX",
        "SecretAccessKey": "RMDMBXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "SessionToken": "IQoJb3JpZ2luX2VjEOjXXXXXXXXXXXXXXXXXXXXXXXsXXXXXXXXXXXXXXXXXXXXXXXXXXw+tYTps1Q/JFXXXXXXXXXXXXXXXXXXXXXXXXXXEDfty8v+LJRMbghcR0ouPTg==",
        "Expiration": "2025-04-18T19:18:23+00:00"
    },
    "FederatedUser": {
        "FederatedUserId": "3XXXXXXXXX0:svc-snowflake-federated",
        "Arn": "arn:aws:sts::3XXXXXXXXX0:federated-user/svc-snowflake-federated"
    },
    "PackedPolicySize": 0
}

These credentials will be used in the next steps to establish the PrivateLink between AWS and Snowflake.

Log in to your Snowflake account. The user performing this step must have the ACCOUNTADMIN role to authorize and retrieve PrivateLink configuration details.

1. Open a Worksheet

Navigate to Projects > Worksheets in the Snowflake UI, and execute the following queries:

-- Switch to the ACCOUNTADMIN role
USE ROLE ACCOUNTADMIN;

-- Authorize PrivateLink using your AWS Account ID and federation token
SELECT SYSTEM$AUTHORIZE_PRIVATELINK (
    '3XXXXXXXXX0', -- Replace with your AWS Account details
    '{
        "Credentials": {
            "AccessKeyId": "ASIAVSTBMXXXXXXXXXX",
            "SecretAccessKey": "RMDMBXXXXXXXXXXXXXXXXXXXXXXXXXX",
            "SessionToken": "IQoJb3JpZ2luX2VjEOjXXXXXXXXXXXXXXXXXXXXXXXsXXXXXXXXXXXXXXXXXXXXXXXXXXw+tYTps1Q/JFXXXXXXXXXXXXXXXXXXXXXXXXXXEDfty8v+LJRMbghcR0ouPTg==",
            "Expiration": "2025-04-18T19:18:23+00:00"
        },
        "FederatedUser": {
            "FederatedUserId": "3XXXXXXXXX0:svc-snowflake-federated",
            "Arn": "arn:aws:sts::3XXXXXXXXX0:federated-user/svc-snowflake-federated"
        },
        "PackedPolicySize": 0
    }'
);

If successful, you will see the message: "Account is authorized for PrivateLink."

Run the following to retrieve your Snowflake PrivateLink configuration details:

SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

This will return output similar to:

{
   "privatelink-account-principal": "arn:aws:iam::0XXXXXXXXX0:root",
   "regionless-snowsight-privatelink-url": "app-xxxxxxxxxx-youraccount.privatelink.snowflakecomputing.com",
   "privatelink-account-name": "fxxxxxx.us-east-1.privatelink",
   "privatelink-vpce-id": "com.amazonaws.vpce.us-east-1.vpce-svc-0dxxxxxxxxxxxxxxx",
   "snowsight-privatelink-url": "app.us-east-1.privatelink.snowflakecomputing.com",
   "regionless-privatelink-ocsp-url": "ocsp.xxxxxxxxxx-youraccount.privatelink.snowflakecomputing.com",
   "privatelink-account-url": "fxxxxxx.us-east-1.privatelink.snowflakecomputing.com",
   "spcs-registry-privatelink-url": "xxxxxxxxxx-youraccount.registry.privatelink.snowflakecomputing.com",
   "app-service-privatelink-url": "*.yourregion.privatelink.snowflake.app",
   "regionless-privatelink-account-url": "xxxxxxxxxx-youraccount.privatelink.snowflakecomputing.com",
   "spcs-auth-privatelink-url": "sfc-endpoint-login.yourregion.privatelink.snowflakecomputing.com",
   "privatelink_ocsp-url": "ocsp.fxxxxxx.us-east-1.privatelink.snowflakecomputing.com"
}

These values are essential for configuring the AWS side of the PrivateLink connection in the next steps.

Step 4: Create a VPC Endpoint Interface

Create a VPC Endpoint Interface in your AWS account to connect to the Snowflake PrivateLink service by following the steps below.

  1. Select “PrivateLink Ready Partner Services” as the type.

  2. In Service name, enter the value from Snowflake’s privatelink-vpce-id (e.g.,
    com.amazonaws.vpce.us-east-1.vpce-svc-0dxxxxxxxxxxxxxxx).

  3. Disable the Private DNS name option.

  4. Select your VPC and choose at least two subnets for high availability.

  5. Create and attach a security group with:

    • Inbound: Allow TCP on ports 80 and 443 from your VPC CIDR.

    • Outbound: Allow TCP on ports 80 and 443 to 0.0.0.0/0.

  6. Create Endpoint and copy the endpoint DNS name. You'll need this in the next step to configure the Route 53 records.

To allow your Snowflake Workspace resources to resolve PrivateLink URLs, configure DNS as follows:

  1. Create a Private Hosted Zone in Route 53 with the domain name: privatelink.snowflakecomputing.com

  2. Associate the Private Hosted Zone with your VPC.

  3. Create the following CNAME records in the hosted zone, pointing each to the appropriate Snowflake PrivateLink DNS (from the SYSTEM$GET_PRIVATELINK_CONFIG() output):

    • regionless-snowsight

      • Record Name: regionless-snowsight-privatelink-url

      • Type: CNAME

      • Value: VPC Endpoint DNS

    • privatelink-account

      • Record Name: privatelink-account-url

      • Type: CNAME

      • Value: VPC Endpoint DNS

    • privatelink-ocsp

      • Record Name: privatelink_ocsp-url

      • Type: CNAME

      • Value: VPC Endpoint DNS

Step 6: Access Snowflake Using the Private URL

Connect to a machine within your VPC and try logging into Snowflake using the URL from the regionless-snowsight-privatelink-url value returned by the SYSTEM$GET_PRIVATELINK_CONFIG() query.

URL eg: https://app-xxxxxxxxxx-youraccount.privatelink.snowflakecomputing.com

Thanks for reading,

-Alon

0
Subscribe to my newsletter

Read articles from Alon Shrestha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSvpcsnowflakePrivate Cloud

Written by

Alon Shrestha
Alon Shrestha

Hi, I’m Alon, the author of this page! With a background in Computer Science, I’m deeply passionate about exploring and building in the world of ☁️ cloud technology. Outside of tech, I enjoy doing music 🎸, traveling 🥾, and sometimes fitness 🏋️‍♂️. Recently, I discovered a love for writing, which inspired me to create this website as a space to share my interests, journey, projects, and insights along the way. Hope you enjoy your time here, and thanks so much for being here!