I’m trying to load a CSV file into Snowflake from an S3 external stage, but I keep getting a 403 Access Denied error:
COPY INTO PBI_Dataset
FROM @pbi_stage
FILE_FORMAT = (TYPE = CSV FIELD_DELIMITER = ',' SKIP_HEADER=1)
ON_ERROR = 'CONTINUE';
When I run this, I see:
Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]
ACCOUNTADMIN role, which has wide-ranging privileges.Grants
GRANT USAGE ON DATABASE MY_DB TO ROLE ACCOUNTADMIN;
GRANT USAGE ON SCHEMA MY_DB.MY_SCHEMA TO ROLE ACCOUNTADMIN;
GRANT USAGE ON STAGE MY_DB.MY_SCHEMA.pbi_stage TO ROLE ACCOUNTADMIN;
The AWS IAM role used by my Snowflake storage integration has a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket1/*" ]
}
]
}
I added the correct bucket ARN(s) to the "Resource" section, but the error still occurs if I try to reference a different bucket. Trust Relationship (Role’s Trust Policy)
I confirmed Snowflake can assume the AWS IAM role by checking the trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SNOWFLAKE_ACCT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<MY_STORAGE_INTEGRATION_EXTERNAL_ID>"
}
}
}
]
}
Not sure if there’s another setting that might still be preventing access.
I checked the bucket policy to make sure it doesn’t block outside access or include any Deny statements that might affect the Snowflake IAM role.
Despite these steps, the 403 AccessDenied persists when trying to load from the stage.
Ensure that S3 bucket and Snowflake stage are in compatible regions