创建通知集成以向 Amazon SNS 主题发送通知¶

要向 Amazon SNS 主题发送通知，您必须为该主题创建通知集成。要这样做，请执行以下操作：

1. Create an Amazon SNS topic
2. Create the IAM policy that grants permission to publish to this topic.
3. Create the IAM role that you attach to this policy.
4. Create a notification integration.
5. Grant Snowflake access to the topic.

创建 Amazon SNS 主题¶

在您的 AWS 账户中创建一个 SNS 主题来处理通知。记录 SNS 主题的 Amazon Resource Name (ARN)。

To reduce latency and avoid data egress charges for sending notifications across regions, we recommend creating the SNS topic in the same region as your Snowflake account.

For instructions, see the Creating an Amazon SNS topic (https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) in the SNS documentation.

创建 IAM 策略¶

创建 AWS Identity and Access Management (IAM) 策略，授予发布到 SNS 主题的权限。该策略规定了以下操作：

• sns:publish: Publish to the SNS topic.

1. 登录 AWS 管理控制台。
2. From the home dashboard, choose Identity & Access Management (IAM).
3. Choose Account settings from the left-hand navigation pane.
4. Expand the Security Token Service Regions list, find the AWS region corresponding to the region where your account is located, and choose Activate if the status is Inactive.
5. Choose Policies from the left-hand navigation pane.
6. Select Create Policy.
7. Select the JSON tab.
8. 添加策略文档，规定可在 SNS 主题上采取的操作。

将以下文本复制并粘贴到策略编辑器中：

{
  "Version": "2012-10-17",
  "Statement": [
 {
   "Effect": "Allow",
   "Action": [
     "sns:Publish"
   ],
   "Resource": "<sns_topic_arn>"
 }
  ]
}

Replace sns_topic_arn with the ARN of the SNS topic that you created earlier.

9. Select Review policy.
10. Enter the policy name (e.g. snowflake_sns_topic) and an optional description, and select Create policy.

创建 AWS IAM 角色¶

创建 AWS IAM 角色，为其分配 SNS 主题的权限。

1. 登录 AWS 管理控制台。

2. From the home dashboard, choose Identity & Access Management (IAM):

3. Choose Roles from the left-hand navigation pane.

4. Select Create role.

5. Select Another AWS account as the trusted entity type.

6. In the Account ID field, enter your own AWS account ID temporarily.

7. Select the Require external ID option. This option enables you to grant permissions on your Amazon account resources (i.e. SNS) to a third party (i.e. Snowflake).

   For now, enter a dummy ID such as 0000. Later, you will modify the trust relationship and replace the dummy ID with the external ID for the Snowflake IAM user generated for your account. A condition in the trust policy for your IAM role allows your Snowflake users to assume the role using the notification integration object you will create later.

8. Select Next.

9. Locate the policy that you created earlier, and select this policy.

10. Select Next.

11. Enter a name and description for the role, and select Create role.

12. Record the Role ARN value located on the role summary page. You will specify this value in one or more later steps.

创建通知集成

Run the CREATE NOTIFICATION INTEGRATION command to create a notification integration. An integration is a Snowflake object that references the SNS topic you created.

运行命令时，将这些参数设置为以下值：

• Set AWS_SNS_TOPIC_ARN to the SNS topic ARN you recorded earlier.

• Set AWS_SNS_ROLE_ARN to the IAM role ARN you recorded earlier.

  Note

  The value of AWS_SNS_ROLE_ARN is case-sensitive. Use the exact value that is specified in your AWS account.

例如：

CREATE NOTIFICATION INTEGRATION my_notification_int
  ENABLED = TRUE
  DIRECTION = OUTBOUND
  TYPE = QUEUE
  NOTIFICATION_PROVIDER = AWS_SNS
  AWS_SNS_TOPIC_ARN = 'arn:aws:sns:us-east-2:111122223333:sns_topic'
  AWS_SNS_ROLE_ARN = 'arn:aws:iam::111122223333:role/error_sns_role';

授予 Snowflake 对 SNS 主题的访问权限。¶

检索 IAM 用户 ARN 和 SNS 主题外部 ID¶

1. Execute the DESCRIBE NOTIFICATION INTEGRATION command to display the properties of the notification integration that you just created.

   For example, to display the properties of the notification integration named my_notification_int:

   Copy codeExpand code block

   DESC NOTIFICATION INTEGRATION my_notification_int;

   Show lessSee more

   Scroll to top
   Expand code block

   +---------------------------+-------------------+------------------------------------------------------+----------------------+
   |   property                |   property_type   |   property_value                                     |   property_default   |
   +---------------------------+-------------------+------------------------------------------------------+----------------------+
   |   ENABLED                 |   Boolean         |   true                                               |   false              |
   |   NOTIFICATION_PROVIDER   |   String          |   AWS_SNS                                            |                      |
   |   DIRECTION               |   String          |   OUTBOUND                                           |   INBOUND            |
   |   AWS_SNS_TOPIC_ARN       |   String          |   arn:aws:sns:us-east-2:111122223333:myaccount       |                      |
   |   AWS_SNS_ROLE_ARN        |   String          |   arn:aws:iam::111122223333:role/myrole              |                      |
   |   SF_AWS_IAM_USER_ARN     |   String          |   arn:aws:iam::123456789001:user/c_myaccount         |                      |
   |   SF_AWS_EXTERNAL_ID      |   String          |   MYACCOUNT_SFCRole=2_a123456/s0aBCDEfGHIJklmNoPq=   |                      |
   +---------------------------+-------------------+------------------------------------------------------+----------------------+

   Show lessSee more

   Scroll to top

2. 记录以下属性的值：

   • SF_AWS_IAM_USER_ARN

     ARN for the Snowflake IAM user created for your account. Users in your Snowflake account will assume the IAM role you created earlier by submitting the external ID for this user using your notification integration.

   • SF_AWS_EXTERNAL_ID

为账户创建的 Snowflake IAM 用户的外部 ID。

下一步，使用这些值更新 IAM 角色的信任关系。

请注意 DIRECTION 属性，它表示与 Snowflake 有关的云消息传递方向。

修改 IAM 角色中的信任关系¶

1. 登录 AWS 管理控制台。
2. From the home dashboard, choose Identity & Access Management (IAM):
3. Choose Roles from the left-hand navigation pane.
4. Select the role you created earlier.
5. Select the Trust relationships tab.
6. Select Edit trust relationship.
7. Modify the policy document to use the values of the notification integration properties that you recorded earlier.

IAM 角色的策略文档

{
  "Version": "2012-10-17",
  "Statement": [
 {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
     "AWS": "<sf_aws_iam_user_arn>"
   },
   "Action": "sts:AssumeRole",
   "Condition": {
     "StringEquals": {
       "sts:ExternalId": "<sf_aws_external_id>"
     }
   }
 }
  ]
}

其中：

• sf_aws_iam_user_arn is the SF_AWS_IAM_USER_ARN value you recorded.
• sf_aws_external_id is the SF_AWS_EXTERNAL_ID value you recorded.

8. Select Update Trust Policy. The changes are saved.