我正在尝试Terraform snowflake_stage并使用来自IAM角色的武器,该角色也被Terraform,作为凭证。当我使用:
时,Snowflake SQL可以工作create stage dev
URL='s3://name_of_bucket/'
storage_integration = dev_integration
credentials=(AWS_ROLE='arn:aws:iam:999999999999:role/service-role-name')
encryption=(TYPE='AWS_SSE_KMS' KMS_KEY_ID='aws/key')
FILE_FORMAT=DATABASE.PUBLIC.SCHEMA.FORMAT_NAME
COPY_OPTION=(ON_ERROR='CONTINUE' PURGE='FALSE' RETURN_FAILED_ONLY='TRUE');
但是当我试着写一个等效的Terraform资源&;snowflake_stage&;使用:
resource "snowflake_stage" "stage" {
name = "dev"
url = "s3://name_of_bucket/"
storage_integration = "dev_integration"
schema = "public"
credentials = "AWS_ROLE='aws_iam_role.snowflake_stage.arn'"
encryption = "(TYPE='AWS_SSE_KMS' KMS_KEY_ID='aws/key')
file_format = "DATABASE.PUBLIC.SCHEMA.FORMAT_NAME"
copy_options = "(ON_ERROR='CONTINUE' PURGE='FALSE' RETURN_FAILED_ONLY='TRUE')"
}
我得到:SQL编译错误:参数{1}的无效值[不是属性列表:TOK_LIST]
加密的值似乎需要"AWS_ROLE='..'">
我已经试过了:
credentials = aws_iam_role.snowflake_stage.arn
但是得到了一组不同的错误。
如何组合:
credentials = "AWS_ROLE='
了aws_iam_role.snowflake_stage.arn然后加上:
`)"
为凭据值?
首先,您在encryption中缺少关闭"。应该是:
encryption = "(TYPE='AWS_SSE_KMS' KMS_KEY_ID='aws/key')"
第二,对于角色:
credentials = "AWS_ROLE='${aws_iam_role.snowflake_stage.arn}'"
这有点晚了,但是加密应该是:
encryption = "TYPE='AWS_SSE_KMS' KMS_KEY_ID='aws/key'"
而不是:
encryption = "(TYPE='AWS_SSE_KMS' KMS_KEY_ID='aws/key')"
此外,只要您为其配置适当的角色和角色权限(S3、KMS和STS策略文档),就可以单独使用存储集成。然后你可以去掉加密和凭据字段。