为 Apache Iceberg™ 表使用由目录分发的凭据¶

注意事项¶

在为 Iceberg 表使用由目录分发的凭据时，请考虑以下几点：

• This feature is supported for tables that store their data and metadata in Amazon S3, Azure Storage, or Google Cloud Storage.

• 表文件必须存储在一个桶中，不能分散在多个桶中。

• 为 REST 目录配置的服务主体必须拥有从存储桶中 所有 包含表文件的位置读取数据的权限。若将 AWS Lake Formation 与 AWS Glue 配合使用，可能需要执行额外步骤以启用此访问权限。有关更多信息，请参阅 （可选）配置 Lake Formation 访问控制。

• S根据您的云存储提供商，Snowflake 期望您的目录提供以下令牌之一：

  • AWS: An expiration time for the AWS session token. Snowflake searches for a key-value pair where the key is s3.session-token-expires-at-ms, and the value is a timestamp that specifies the expiration time in milliseconds.

  • Azure: An expiration time for the SAS token. Snowflake searches for a key-value pair where the key is adls.sas-token-expires-at-ms, and the value is a timestamp that specifies the expiration time in milliseconds.

  • Google Cloud Storage: An expiration time for the OAuth 2.0 access token. Snowflake searches for a key-value pair where the key is gcs.oauth2.token-expires-at, and the value is a timestamp that specifies the expiration time in milliseconds.

  If your catalog doesn't provide a token, Snowflake expects your catalog to provide an expiration time for vended credentials, and searches for a key-value pair where the key is expiration-time, and the value is a timestamp that specifies the expiration time in milliseconds; for example, 1730234407000.

  如果您的目录没有提供过期时间，Snowflake 假定在收到后 60 分钟过期。

• Table creation fails if your catalog provides credentials that aren't valid.

• 不支持 CREATE ICEBERG TABLE ... AS SELECT 命令。

• 不支持专用连接；要使用专用连接，必须 配置外部卷。

为分发的凭据创建目录集成¶

要为分发的凭据创建目录集成，请使用 CREATE CATALOG INTEGRATION (Apache Iceberg™ REST) 命令，并将 ACCESS_DELEGATION_MODE 属性设置为 VENDED_CREDENTIALS。

其中：

ACCESS_DELEGATION_MODE = { VENDED_CREDENTIALS | EXTERNAL_VOLUME_CREDENTIALS }

指定用于访问外部云存储中 Iceberg 表文件的访问授权模式。

• VENDED_CREDENTIALS 指定 Snowflake 应使用分发的凭据。

• EXTERNAL_VOLUME_CREDENTIALS 指定 Snowflake 应使用外部卷。

默认：EXTERNAL_VOLUME_CREDENTIALS

You can specify the ACCESS_DELEGATION_MODE property in the list of REST_CONFIG properties in any CREATE CATALOG INTEGRATION (Apache Iceberg™ REST) statement.

CREATE CATALOG INTEGRATION glue_rest_catalog_int
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'rest_catalog_integration'
  REST_CONFIG = (
    CATALOG_URI = 'https://glue.us-west-2.amazonaws.com/iceberg'
    CATALOG_API_TYPE = AWS_GLUE
    CATALOG_NAME = '123456789012'
    ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS
  )
  REST_AUTHENTICATION = (
    TYPE = SIGV4
    SIGV4_IAM_ROLE = 'arn:aws:iam::123456789012:role/my-role'
    SIGV4_SIGNING_REGION = 'us-west-2'
  )
  ENABLED = TRUE;

CREATE OR REPLACE CATALOG INTEGRATION my_s3_tables_catalog_integration
  CATALOG_SOURCE = ICEBERG_REST
  TABLE_FORMAT = ICEBERG
  CATALOG_NAMESPACE = 'my_namespace'
  REST_CONFIG = (
    CATALOG_URI = 'https://glue.us-west-2.amazonaws.com/iceberg'
    CATALOG_API_TYPE = AWS_GLUE
    CATALOG_NAME = '123456789012:S3tablescatalog/my_table_bucket'
    ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS
  )
  REST_AUTHENTICATION = (
    TYPE = SIGV4
    SIGV4_IAM_ROLE = 'arn:aws:iam::123456789012:role/my_api_permissions_role'
  )
  ENABLED = TRUE;

创建一个使用分发的凭据的 Iceberg 表¶

使用第三方 Iceberg REST 目录设置访问控制，并为分发的凭据创建目录集成后，即可创建 Iceberg 表。

创建使用分发凭据的 Iceberg 表时，您要指定使用 ACCESS_DELEGATION_MODE = VENDED_CREDENTIALS 配置的目录集成，并从 CREATE ICEBERG TABLE（Iceberg REST 目录） 语句中排除 EXTERNAL_VOLUME 参数。

例如：

CREATE ICEBERG TABLE my_iceberg_table
  CATALOG = open_catalog_int_vended_credentials
  CATALOG_TABLE_NAME = 'my_table'
  AUTO_REFRESH = TRUE;