Allow access to Google Cloud Storage¶
If your Google Cloud organization enforces a domain restriction constraint (https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains), a Google Cloud administrator must allow the Google Workspace customer ID in the domain restriction so that the Snowflake service account can access your storage.
Important
If your Google Cloud organization was created on or after May 3, 2024, Google Cloud enforces a domain restriction constraint (https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains) in project organization policies. The default constraint lists your domain as the only allowed value.
To allow the Snowflake service account access to your storage, you must update the domain restriction.
检索 Google Workspace 客户 ID¶
在更新组织策略之前,您必须先检索与 Snowflake 服务账户关联的 Google Workspace 客户 ID。
Call the SYSTEM$GET_SNOWFLAKE_PLATFORM_INFO function:
The function returns the project ID and Google Workspace customer ID (snowflake-customer-directory-id) for the Snowflake service account.
输出示例:
更新域约束的允许列表
To update the allow list for your domain constraint, you must update your organization policy. Specifically,
you must add the Google Workspace customer ID for the Snowflake service account to the allowed_values
list in the constraint.
For instructions, see Setting the organization policy (https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy) in the Google Cloud documentation.