Upgrade Step: Configuring Snowflake Integration for AWS SaaS

When upgrading an existing Kyvos cluster to version 2025.8 or later, additional configuration steps are required to ensure that Snowflake integration works correctly. This applies only to clusters upgraded from a version earlier than 2025.8.

If a Snowflake IAM Role is created as a part of deployment (for 2025.7 and later, Kyvos creates the Snowflake role automatically):
- Continue using the same role.
- Populate its details in the connectionAccounts.properties file.
If a Snowflake IAM Role is not created:
- Use the default IAM role already available in the environment.
- Document its ARN and role name in the configuration file.

Configuration Steps

Step 1: Create connectionAccounts.properties

Create the following file if it does not already exist:
kyvos/olapengine/conf/connectionAccounts/connectionAccounts.properties
Add the following key-value pairs:

SNOWFLAKE_IAM_ROLE_NAME=<Snowflake IAM Role Name>
SNOWFLAKE_AWS_ROLE_ARN=<ARN of the Snowflake IAM Role>
KMS_KEY_ID=<KMS Key ARN>

Step 2: Update IAM Role Permissions

Update the instance IAM role (the IAM role attached to the Kyvos kmInstance) with the following permissions:
{ "Sid": "SnowflakeIntegrationUpdateTrustEntities", "Effect": "Allow", "Action": "iam:UpdateAssumeRolePolicy", "Resource": "<Snowflake_role_arn_used_for_creating_connection>" }
Replace <Snowflake_role_arn_used_for_creating_connection> with the ARN defined in SNOWFLAKE_AWS_ROLE_ARN. This allows the cluster’s instance role to modify the trust policy of the Snowflake role.

Step 3: Update S3 Bucket Policy

In the existing S3 bucket policy, add the Snowflake IAM Role ARN under the Principal block alongside the existing Kyvos roles. This ensures that Snowflake can access the S3 bucket for reading and writing data during integration.