CREATE API INTEGRATION¶
在账户中创建新的 API 集成对象,或替换现有的 API 集成。
API 集成对象存储有关通过 HTTPS API 到达的服务的信息,包括关于以下部分内容的信息:
- 云平台提供商(如 Amazon AWS)。
- Git 存储库 API。
- An external Model Context Protocol (MCP) server, used by MCP Connectors to expose third-party tools to a Cortex Agent.
- 服务类型(例如当云平台提供商提供多种类型的代理服务时)。
- The identifier and access credentials for the external service that has sufficient privileges to use the service. For example, on AWS, the role’s ARN (Amazon resource name) serves as the identifier and access credentials.
当此用户被授予适当的权限时,Snowflake 可以使用此用户访问资源。例如,这可能是云平台原生 HTTPS 代理服务的实例,例如 Amazon API Gateway 的实例。
- API 集成对象还指定了这些服务上允许(和可选阻止)的端点和资源。
语法
每个外部 API 的语法都不同。
对于 Amazon API Gateway¶
Note that aws_api_gateway or aws_private_api_gateway or aws_gov_api_gateway or aws_gov_private_api_gateway should
not be in quotation marks.
对于 Azure API Management¶
Note that azure_api_management should not be in quotation marks.
对于 Google Cloud API Gateway¶
Note that google_api_gateway should not be in quotation marks.
对于 Git 存储库¶
与 Git 存储库集成时,您可以使用个人访问令牌或 OAuth。
Note that git_https_api should not be in quotation marks.
For external MCP server¶
When integrating with an external Model Context Protocol (MCP) server, use either standard OAuth 2.0 or OAuth Dynamic Client Registration (DCR). For end-to-end setup, see MCP Connectors.
Note that external_mcp should not be in quotation marks.
必填参数
对于 Amazon API Gateway¶
integration_nameSpecifies the name of the API integration. This name follows the rules for Object identifiers. The name must be unique among API integrations in your account.
API_PROVIDER = { aws_api_gateway | aws_private_api_gateway | aws_gov_api_gateway | aws_gov_private_api_gateway }指定 HTTPS 代理服务类型。有效值为:
aws_api_gateway: for Amazon API Gateway using regional endpoints.aws_private_api_gateway: for Amazon API Gateway using private endpoints.aws_gov_api_gateway: for Amazon API Gateway using U.S. government GovCloud endpoints.aws_gov_private_api_gateway: for Amazon API Gateway using U.S. government GovCloud endpoints that are also private endpoints.
API_AWS_ROLE_ARN = iam_role对于 Amazon AWS,这是云平台角色的 ARN (Amazon Resource Name)。
API_ALLOWED_PREFIXES = (...)对使用集成引用一个或多个 HTTPS 代理服务端点(例如 Amazon API Gateway)和这些代理中的资源的外部函数进行显式限制。支持逗号分隔的 URLs 列表,它们会被视为前缀(有关详细信息,请参阅下文)。
Each URL in
API_ALLOWED_PREFIXES = (...)is treated as a prefix. For example, if you specify:https://xyz.amazonaws.com/production/这意味着
https://xyz.amazonaws.com/production/下的所有资源都是允许的。例如,允许使用以下 URL:
https://xyz.amazonaws.com/production/ml1为了最大限度地提高安全性,应尽可能对允许的位置进行严格限制。
ENABLED = { TRUE | FALSE }指定是启用还是禁用此 API 集成。如果禁用 API 集成,则依赖它的任何外部功能都将无法正常工作。
该值不区分大小写。
The default is
TRUE.
对于 Azure API Management 服务¶
integration_nameSpecifies the name of the API integration. This name follows the rules for Object identifiers. The name should be unique among API integrations in your account.
API_PROVIDER = azure_api_managementSpecifies that this integration is used with Azure API Management services. Do not use quotation marks around
azure_api_management.AZURE_TENANT_ID = tenant_id指定所有 Azure ID Management 实例所属的 Office 365 租户的 API。一个 API 集成只能对一个租户进行身份验证,因此允许和阻止的位置必须引用同属于此租户的 API Management 实例。
To find your tenant ID, sign in to the Azure portal and select Azure Active Directory » Properties. The tenant ID is displayed in the Tenant ID field.
AZURE_AD_APPLICATION_ID = azure_application_idThe “Application (client) id” of the Azure AD (Active Directory) app for your remote service. If you followed the instructions in Creating external functions on Microsoft Azure, then this is the
Azure Function App AD Application IDthat you recorded in the worksheet in those instructions.API_ALLOWED_PREFIXES = (...)对使用集成引用一个或多个 HTTPS 代理服务端点(例如 Azure API Management 服务)和这些代理中的资源的外部函数进行显式限制。支持逗号分隔的 URLs 列表,它们会被视为前缀(有关详细信息,请参阅下文)。
Each URL in
API_ALLOWED_PREFIXES = (...)is treated as a prefix. For example, if you specify:https://my-external-function-demo.azure-api.net/my-function-app-name这意味着
https://my-external-function-demo.azure-api.net/my-function-app-name下的所有资源都是允许的。例如,允许使用以下 URL:
https://my-external-function-demo.azure-api.net/my-function-app-name/my-http-trigger-function为了最大限度地提高安全性,应尽可能对允许的位置进行严格限制。
ENABLED = { TRUE | FALSE }指定是启用还是禁用此 API 集成。如果禁用 API 集成,则依赖它的任何外部功能都将无法正常工作。
该值不区分大小写。
The default is
TRUE.
对于 Google Cloud API Gateway¶
integration_nameSpecifies the name of the API integration. This name follows the rules for Object identifiers. The name should be unique among API integrations in your account.
API_PROVIDER = google_api_gatewaySpecifies that this integration is used with Google Cloud. The only valid value for this purpose is
google_api_gateway. The value must not be in quotation marks.GOOGLE_AUDIENCE = google_audienceThis is used as the audience claim when generating the JWT (JSON Web Token) to authenticate to the Google API Gateway. For more information about authenticating with Google, please see the Google service account authentication documentation. (https://cloud.google.com/api-gateway/docs/authenticate-service-account#configure_auth)
API_ALLOWED_PREFIXES = (...)对使用集成引用一个或多个 HTTPS 代理服务端点(例如 Google Cloud API Gateway)和这些代理中的资源的外部函数进行显式限制。支持逗号分隔的 URLs 列表,它们会被视为前缀(有关详细信息,请参阅下文)。
Each URL in
API_ALLOWED_PREFIXES = (...)is treated as a prefix. For example, if you specify:https://my-external-function-demo.uc.gateway.dev/x这意味着
https://my-external-function-demo.uc.gateway.dev/x下的所有资源都是允许的。例如,允许使用以下 URL:
https://my-external-function-demo.uc.gateway.dev/x/y为了最大限度地提高安全性,应尽可能对允许的位置进行严格限制。
ENABLED = { TRUE | FALSE }指定是启用还是禁用此 API 集成。如果禁用 API 集成,则依赖它的任何外部功能都将无法正常工作。
该值不区分大小写。
The default is
TRUE.
对于 Git 存储库¶
For an example, see Setting up Snowflake to use Git.
integration_nameSpecifies the name of the API integration. This name follows the rules for Object identifiers. The name must be unique among API integrations in your account.
API_PROVIDER = git_https_apiSpecifies that this integration is used with CREATE GIT REPOSITORY to create an integration with a remote Git repository. The only valid value for this purpose is
git_https_api. The value must not be in quotation marks.API_ALLOWED_PREFIXES = (...)对使用集成引用一个或多个 HTTPS 端点和这些端点下的资源的请求进行显式限制。支持逗号分隔的 URLs 列表,它们会被视为前缀。
在大多数情况下,Snowflake 支持任何 HTTPS Git 存储库 URL。例如,您可以在自己的域内为企业 Git 服务器指定自定义 URL。
https://example.com/my-repoEach URL in
API_ALLOWED_PREFIXES = (...)is treated as a prefix. For example, you can specify the following:https://example.com/my-account如果使用此前缀,则允许使用 URL 下的所有资源。例如,允许使用以下函数:
https://example.com/my-account/myproject为了最大限度地提高安全性,应尽可能对允许的位置进行严格限制。
ENABLED = { TRUE | FALSE }指定是启用还是禁用此 API 集成。如果禁用 API 集成,则 Git 存储库将无法访问。
该值不区分大小写。
The default is
TRUE.
For external MCP server¶
For end-to-end setup, see MCP Connectors.
integration_nameSpecifies the name of the API integration. This name follows the rules for Object identifiers. The name must be unique among API integrations in your account.
API_PROVIDER = external_mcpSpecifies that this integration connects to an external Model Context Protocol (MCP) server, used by MCP Connectors to expose third-party tools to a Cortex Agent. The only valid value for this purpose is
external_mcp. The value must not be in quotation marks.API_ALLOWED_PREFIXES = (...)Explicitly limits requests that use the integration to reference one or more HTTPS endpoints beneath the listed URL prefixes. Supports a comma-separated list of URLs, which are treated as prefixes. Set this to the base URL of the external MCP server, for example
'https://mcp.atlassian.com/v1/mcp'.To maximize security, restrict allowed locations as narrowly as practical.
API_USER_AUTHENTICATION = (...)Specifies the OAuth settings used to connect to the external MCP server. EXTERNAL_MCP only supports OAuth, so this parameter is required. For the full list of sub-parameters under
TYPE = OAUTH2andTYPE = OAUTH_DYNAMIC_CLIENT, see For external MCP server below.ENABLED = { TRUE | FALSE }Specifies whether this API integration is enabled or disabled. If the API integration is disabled, the external MCP server is not accessible to Cortex Agents.
该值不区分大小写。
The default is
TRUE.
可选参数
适用于所有集成
API_KEY = api_keyThe API key (also called a “subscription key”).
API_BLOCKED_PREFIXES = (...)列出了 HTTPS 代理服务中不允许从 Snowflake 调用的端点和资源。
位置的可能值遵循与上述 API_ALLOWED_PREFIXES 相同的规则。
API_BLOCKED_PREFIXES takes precedence over API_ALLOWED_PREFIXES. If a prefix matches both, then it is blocked. In other words, Snowflake allows all values that match API_ALLOWED_PREFIXES except values that also match API_BLOCKED_PREFIXES.
如果某个值在 API_ALLOWED_PREFIXES 范围之外,则无需对其显式阻止。
COMMENT = 'string_literal'集成的描述。
对于 Git 存储库¶
In addition to parameters for all integrations, use the following parameters when you’re using the integration
to connect to a remote Git repository by setting the integration’s API_PROVIDER parameter to git_https_api.
ALLOWED_AUTHENTICATION_SECRETS = ( secret_name [, secret_name ... ] | all | none )Specifies the secrets that UDF or procedure handler code can use when accessing the Git repository at the API_ALLOWED_PREFIXES value. You specify a secret from this list when specifying Git credentials with the GIT_CREDENTIALS parameter.
此参数的值必须为以下值之一:
- 一个或多个完全限定 Snowflake 密钥名称,以允许任何列出的密钥。
- (Default)
allto allow any secret. noneto allow no secrets.
The ALLOWED_API_AUTHENTICATION_INTEGRATIONS parameter can also specify allowed secrets. For more information, see Usage notes.
For reference information about secrets, refer to CREATE SECRET.
API_USER_AUTHENTICATION = ( TYPE = snowflake_github_app | TYPE = OAUTH2 oauth_parameters )为 OAuth 2.0 流程指定安全集成设置。
How you set this parameter differs depending on the repository provider. For more information, see Configure for authenticating with OAuth.
-
TYPE = snowflake_github_app: Authenticate with GitHub using the Snowflake GitHub App, as described in Configure for authenticating with OAuth. No other values are required for API_USER_AUTHENTICATION in this case. -
TYPE = OAUTH2: Authenticate using OAuth2 parameters, as described in Configure for authenticating with OAuth.When you specify this value, you must also specify the parameters, as required, under
oauth_parameters(next). -
oauth_parameters: Authenticate using the specified OAuth 2.0 parameters, including the following parameters:-
OAUTH_AUTHORIZATION_ENDPOINT = 'endpoint_url'
-
指定 URL 用于对仓库进行身份验证。
-
OAUTH_TOKEN_ENDPOINT = 'token_endpoint_url'
指定客户端用于获取访问令牌的令牌端点,方法是提供其授权授予或刷新令牌。客户端使用令牌端点进行每个授权授予,但隐式授权类型除外(因为访问令牌是直接颁发的)。
-
OAUTH_CLIENT_ID = 'client_id'
指定仓库提供商中 OAuth 应用程序的客户端 ID。此参数的值根据您所在的组织设定。
-
OAUTH_CLIENT_SECRET = 'client_secret'
指定仓库提供商中 OAuth 应用程序的客户端密钥。此参数的值根据您所在的组织设定。
-
OAUTH_ACCESS_TOKEN_VALIDITY = integer
指定由 OAuth 服务器颁发的 OAuth 访问令牌的默认生命周期(以秒为单位)。
如果访问令牌生命周期未作为 OAuth 令牌响应的一部分返回,则使用此属性中设置的值。当两个值都可用时,两者中较小的值用于刷新访问令牌。
-
OAUTH_REFRESH_TOKEN_VALIDITY = integer
指定用于确定从 OAuth 服务器获取的刷新令牌有效性的值(以秒为单位)。
-
OAUTH_ALLOWED_SCOPES = ( { 'read_api' | 'read_repository' | 'write_repository' } [ , ... ] )Specifies the scope to use when making a request from the provider. Specify the following values:'read_api': Read from the repository provider’s API.'read_repository': Read from the repository.'write_repository': Write to the repository.
-
OAUTH_USERNAME = 'string_literal'Optional. The Git repository username. Set this value based on the repository provider’s requirements. For example, for Bitbucket, set this
x-token-auth.
-
TLS_TRUSTED_CERTIFICATES = ( {secret_name} [, {secret_name} ... ] )Specifies secrets containing self-signed certificates to be used when authenticating with a Git repository server over private link. This parameter is needed only when the certificate is self-signed, rather than signed by a certificate authority.
This parameter’s value must be one or more fully qualified Snowflake secret names. The secrets must be of type generic string whose SECRET_STRING value is Base64-encoded certificate data.
USE_PRIVATELINK_ENDPOINT = { TRUE | FALSE }Specifies whether this API integration will be used only to configure access to a remote Git repository over an outbound private link connection through private connectivity.
This parameter must be set to
FALSE(the default) for public Git servers.The default is
FALSE.
For external MCP server¶
In addition to parameters for all integrations, use the following parameters when you’re connecting
to an external Model Context Protocol (MCP) server by setting the integration’s API_PROVIDER parameter
to external_mcp. For end-to-end setup, see
MCP Connectors.
API_USER_AUTHENTICATION = ( TYPE = OAUTH2 oauth_parameters | TYPE = OAUTH_DYNAMIC_CLIENT dcr_parameters )Specifies the OAuth settings used to connect to the external MCP server.
-
TYPE = OAUTH2: Authenticate using standard OAuth 2.0 with a client ID and client secret obtained from the MCP server provider. Specify the following sub-parameters:-
OAUTH_CLIENT_ID = 'client_id'Specifies the client ID issued by the MCP server provider.
-
OAUTH_CLIENT_SECRET = 'client_secret'Specifies the client secret issued by the MCP server provider.
-
OAUTH_TOKEN_ENDPOINT = 'token_endpoint_url'Specifies the endpoint used to exchange authorization codes for access tokens.
-
OAUTH_AUTHORIZATION_ENDPOINT = 'authorization_endpoint_url'Specifies the endpoint where users authorize the connection.
-
OAUTH_CLIENT_AUTH_METHOD = { CLIENT_SECRET_BASIC | CLIENT_SECRET_POST }Optional. Authentication method used by the client. Default:
CLIENT_SECRET_BASIC. -
OAUTH_DISCOVERY_URL = 'discovery_url'Optional. OpenID Connect discovery URL for automatic endpoint resolution.
-
OAUTH_REFRESH_TOKEN_VALIDITY = integerOptional. Validity, in seconds, of the OAuth refresh token issued by the external MCP service. When set, the value must be at least
3600(one hour). The default is0, which Snowflake treats as a refresh token that never expires. Snowflake recommends setting an explicit, finite value so users periodically re-authenticate to the external MCP service.
-
-
TYPE = OAUTH_DYNAMIC_CLIENT: Authenticate using OAuth Dynamic Client Registration (DCR). Snowflake registers itself with the MCP service automatically. Specify the following sub-parameter:-
OAUTH_RESOURCE_URL = 'resource_url'Specifies the resource URL of the external MCP service.
OAUTH_REFRESH_TOKEN_VALIDITYdoes not apply to Dynamic Client Registration. -
-
访问控制要求
A role used to execute this operation must have the following privileges at a minimum:
| 权限 | 对象 | 备注 |
|---|---|---|
| CREATE INTEGRATION | 账户 | Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
使用说明
-
Only Snowflake roles with OWNERSHIP or USAGE privileges on the API integration can use the API integration directly (for example, by creating an external function that specifies that API integration).
-
An API integration object is tied to a specific cloud platform account and role within that account, but not to a specific HTTPS proxy URL. You can create more than one instance of an HTTPS proxy service in a cloud provider account, and you can use the same API integration to authenticate to multiple proxy services in that account.
-
您的 Snowflake 账户可以拥有多个 API 集成对象,例如,不同的云平台账户。
-
多个外部函数可以使用相同的 API 集成对象,从而使用相同的 HTTPS 代理服务。
-
关于元数据:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
- The OR REPLACE and IF NOT EXISTS clauses are mutually exclusive. They can’t both be used in the same statement.
-
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
示例
Amazon API Gateway¶
以下示例显示创建 API 集合以及在随后的 CREATE EXTERNAL FUNCTION 语句中使用该 API 集成:
Git 存储库¶
For an example of an API integration used to integrate a Git repository, see Setting up Snowflake to use Git.
External MCP server¶
The following example creates an API integration for the Atlassian MCP server using OAuth Dynamic Client Registration, and then creates an external MCP server object that references it.
The following example uses standard OAuth 2.0 against a custom MCP server, and sets
OAUTH_REFRESH_TOKEN_VALIDITY to 24 hours so refresh tokens have a finite lifetime
(the default of 0 is treated as a refresh token that never expires):
For provider-specific setup steps and additional connectors (GitHub, Glean, Linear, Salesforce), see MCP Connectors.