API Integration is the Snowflake object that holds the authentication and connection settings used to safely call external REST APIs from External Functions. It supports AWS API Gateway, Azure API Management, and Google Cloud API Gateway, so you can invoke external services such as ML inference, geocoding, or translation directly from a SQL query.
An API Integration establishes the authentication channel between Snowflake's Cloud Services Layer and the cloud provider's API Gateway. The actual data flow looks like this:
SQL query
-> Virtual Warehouse (calls External Function)
-> Cloud Services Layer (API Integration authentication)
-> API Gateway (AWS / Azure / GCP)
-> Backend (Lambda / Azure Functions / Cloud Functions)
-> Response returned to SnowflakeThe role of an API Integration is to establish the trust relationship between Snowflake's service account and the API Gateway's access controls. The actual HTTP requests are issued by the External Function itself.
-- API Integration for AWS API Gateway
CREATE OR REPLACE API INTEGRATION aws_ml_api
API_PROVIDER = aws_api_gateway
API_AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/snowflake-api-role'
API_ALLOWED_PREFIXES = ('https://abc123.execute-api.us-east-1.amazonaws.com/prod/')
ENABLED = TRUE;
-- After creation, fetch Snowflake's IAM info
DESCRIBE INTEGRATION aws_ml_api;
-- -> Check API_AWS_IAM_USER_ARN and API_AWS_EXTERNAL_ID
-- -> Configure these in the IAM role trust policy on the AWS side{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "<API_AWS_IAM_USER_ARN>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<API_AWS_EXTERNAL_ID>"
}
}
}]
}-- API Integration for Azure API Management
CREATE OR REPLACE API INTEGRATION azure_translate_api
API_PROVIDER = azure_api_management
AZURE_TENANT_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
AZURE_AD_APPLICATION_ID = 'f1e2d3c4-b5a6-7890-abcd-ef0987654321'
API_ALLOWED_PREFIXES = ('https://my-apim.azure-api.net/translate/')
ENABLED = TRUE;
-- Get AZURE_MULTI_TENANT_APP_NAME via DESCRIBE INTEGRATION
-- Grant the service principal the right permissions in Azure AD-- API Integration for Google Cloud API Gateway
CREATE OR REPLACE API INTEGRATION gcp_geocode_api
API_PROVIDER = google_api_gateway
GOOGLE_AUDIENCE = 'https://my-gateway-abc123.uc.gateway.dev'
API_ALLOWED_PREFIXES = ('https://my-gateway-abc123.uc.gateway.dev/geocode/')
ENABLED = TRUE;
-- Get API_GCP_SERVICE_ACCOUNT via DESCRIBE INTEGRATION
-- Grant this service account the Invoker role on the GCP side| Item | AWS | Azure | GCP |
|---|---|---|---|
| API_PROVIDER value | aws_api_gateway | azure_api_management | google_api_gateway |
| Authentication | IAM role + ExternalId | Azure AD service principal | GCP service account |
| Where to configure after DESCRIBE | IAM role trust policy | Azure AD app registration | IAM Invoker permission |
| API Gateway product | Amazon API Gateway | Azure API Management | Google Cloud API Gateway |
-- Create an External Function and bind the API Integration
CREATE OR REPLACE EXTERNAL FUNCTION sentiment_analysis(text VARCHAR)
RETURNS VARIANT
API_INTEGRATION = aws_ml_api
AS 'https://abc123.execute-api.us-east-1.amazonaws.com/prod/sentiment';
-- Call the External Function from a SQL query
SELECT
review_id,
review_text,
sentiment_analysis(review_text) AS sentiment_result
FROM product_reviews
LIMIT 100;
-- Batch processing: persist the results with INSERT INTO ... SELECT
INSERT INTO product_reviews_enriched
SELECT
review_id,
review_text,
sentiment_analysis(review_text):sentiment::VARCHAR AS sentiment,
sentiment_analysis(review_text):confidence::FLOAT AS confidence
FROM product_reviews;-- List
SHOW API INTEGRATIONS;
-- Detail
DESCRIBE INTEGRATION aws_ml_api;
-- Disable (blocks all External Function calls using it)
ALTER API INTEGRATION aws_ml_api SET ENABLED = FALSE;
-- Re-enable
ALTER API INTEGRATION aws_ml_api SET ENABLED = TRUE;
-- Drop (drop all referencing External Functions first)
DROP API INTEGRATION aws_ml_api;| Error | Cause | Fix |
|---|---|---|
| Error assuming AWS role | IAM role trust policy is misconfigured | Re-check the ARN and ExternalId from DESCRIBE INTEGRATION and configure them correctly in the AWS-side trust policy. |
| Request URL not allowed | The URL is not covered by API_ALLOWED_PREFIXES | Confirm that the URL in the External Function's AS clause matches the allowed prefix. |
| Integration is disabled | ENABLED = FALSE | Re-enable it with ALTER INTEGRATION ... SET ENABLED = TRUE. |
| HTTP 403 from API Gateway | Authorization error on the API Gateway side | Check the IAM / service principal permissions on the cloud side. |
Security & Integrations
問題 1
After creating an API Integration that targets AWS API Gateway, an External Function call fails with 'Error assuming AWS role'. Which is the most likely cause?
正解: C
'Error assuming AWS role' means Snowflake's service account cannot AssumeRole on the AWS IAM role. You need to configure API_AWS_IAM_USER_ARN and API_AWS_EXTERNAL_ID (obtained via DESCRIBE INTEGRATION) correctly in the AWS-side IAM role trust policy. URL protocol or return-type issues would not produce this error.
What is the precedence between API_ALLOWED_PREFIXES and API_BLOCKED_PREFIXES on an API Integration?
API_BLOCKED_PREFIXES wins. Even if a URL matches API_ALLOWED_PREFIXES, the request is blocked when it also matches API_BLOCKED_PREFIXES. The best practice is to allow only the minimum set of endpoints via API_ALLOWED_PREFIXES and use API_BLOCKED_PREFIXES only when you need to exclude specific paths from an allowed prefix.
Can a single API Integration be shared by multiple External Functions?
Yes. You can create multiple External Functions against a single API Integration, with each function calling a different endpoint path. When several function endpoints live under the same API Gateway, sharing one API Integration and allowing them collectively via API_ALLOWED_PREFIXES is the most efficient pattern.
Which Snowflake Edition is required to create an API Integration?
API Integration is available on Standard Edition and above. Calling an External Function still requires a Virtual Warehouse, and you consume credits in proportion to the number of calls. You also incur cloud-side API Gateway charges separately, so cost estimates need to account for both the Snowflake side and the cloud provider side.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...