Snowflake Data Clean Rooms: External and Iceberg tables

When external tables and Iceberg tables are linked in a clean room, there are external calls that might allow a collaborator to extract sensitive information from the clean room. Due to this, both the provider and consumer need to consent before the other party can use these objects in the clean room.

For limitations when including external tables and Iceberg tables in a clean room, see Limitations.

Web app clean rooms

To control the inclusion of external tables and Iceberg tables in clean rooms created and installed in the web app, provider and consumer administrators configure their clean room environment to explicitly allow these objects.

  • For clean rooms shared with a consumer by a provider, the consumer cannot include external tables and Iceberg tables unless the provider explicitly allows them for the provider’s clean room environment.

  • For consumers, clean room users cannot install a clean room that has external tables or Iceberg tables unless the clean room environment allows it. Even if the consumer’s clean room environment allows these objects, clean room users are warned when these types of tables have been linked so they can decide to not install the clean room.

To configure a clean room environment to allow external tables and Iceberg tables:

  1. Sign in to the web app.

  2. Do one of the following:

    • If you are using a managed account, select Admin » My Account.

    • If you are using a Snowflake account, select Admin » Snowflake Admin and login into Snowflake as a user with the ACCOUNTADMIN role.

  3. Toggle on External & Iceberg Tables.

Developer API clean rooms

Allowing external tables and Iceberg tables in a clean room created and installed using the developer APIs is a two-step process:

  • First, a user with the ACCOUNTADMIN role allows these types of tables for the entire clean room environment.

  • Then, clean room users allow these objects for specific clean rooms as they are created or installed.

Allow external tables and Iceberg tables in clean room environment

The account administrator for both the provider and the consumer must explicitly allow external tables and Iceberg tables in the clean room environment before individual users can allow them in a clean room.

To allow external tables and Iceberg tables in a clean room environment, the account administrator executes:

USE ROLE ACCOUNTADMIN;

CALL samooha_by_snowflake_local_db.library.enable_external_tables_on_account();
Copy

Allow external tables and Iceberg tables in a specific clean room

The provider who is creating a clean room and the consumer who is installing it must allow external tables and Iceberg tables in the clean room.

Provider:

Before they can link an external table or Iceberg table in a clean room, the provider must call the providers.enable_external_tables_for_cleanroom command. For example, if the provider wants to add an Iceberg table to the insights_cleanroom clean room, they must execute:

CALL samooha_by_snowflake_local_db.provider.enable_external_tables_for_cleanroom(
    'insights_cleanroom');
Copy
Consumer:

After a consumer installs a clean room, they can approve the provider’s inclusion of external tables or Iceberg tables by executing the consumers.enable_external_tables_for_cleanroom command. For example, if the consumer installed a clean room overlap_cleanroom that includes an Iceberg table, they must execute:

CALL samooha_by_snowflake_local_db.consumer.enable_external_tables_for_cleanroom(
    'overlap_cleanroom');
Copy

Register an external table or Iceberg table

As with other objects, external tables and Iceberg tables must be registered before they can be linked. Use the appropriate parameter of the library.register_table_or_view command to indicate the table type.

External table

The fourth parameter of the library.register_table_or_view command specifies whether an object is an external table. For example, to register an external table my_ext_table in the samooha_sample_database.demo schema, execute:

CALL samooha_by_snowflake_local_db.library.register_table_or_view(
    ['SAMOOHA_SAMPLE_DATABASE.DEMO.MY_EXT_TABLE'],
    false,
    false,
    true,
    false);
Copy
Iceberg table

The third parameter of the library.register_table_or_view command specifies whether an object is an Iceberg table. For example, to register the Iceberg table customers in the samooha_sample_database.demo schema, execute:

CALL samooha_by_snowflake_local_db.library.register_table_or_view(
    ['SAMOOHA_SAMPLE_DATABASE.DEMO.CUSTOMERS'],
    false,
    true,
    false,
    false);
Copy

Limitations

  • Because managed accounts always use external tables, providers must enable external tables and Iceberg tables when sharing a clean room with a managed account.

  • Collaborators in different regions cannot link external tables and Iceberg tables in clean rooms.

  • You cannot run an analysis with the SQL Query template if its configuration applies an aggregation policy or projection policy to the external table or Iceberg table.

Language: English