Creates a new location object in your Firebolt account, which is a secure, reusable object that stores the connection details and credentials for external data sources. Instead of entering these details each time you run a query or create a table, you can use a location object.

The location object stores the following:

  • The source type specification
  • Authentication credentials
  • The data source URL
  • Optional descriptive metadata

This makes it easier to manage data access, keeps your credentials safe, and saves you from having to repeat the same information across multiple queries.

You can use LOCATION to centralize credential storage with managed access with Role-Based Access Control (RBAC) for CREATE, MODIFY, and USAGE permissions for different users, use a single location definition for multiple tables and queries, and control access to sensitive data. LOCATION is version control-friendly because no sensitive credentials are stored in source code.

After you create a LOCATION, you can use the information_schema.locations view to see details about all the locations in your account including source type, URL, description, owner and creation time.

For a comprehensive guide to understanding and using LOCATION objects, see LOCATION objects.

Related:

This document covers LOCATION objects in general. For more information about specific types of LOCATION objects, including more in-depth examples, please see:

Topics:

Syntax

CREATE LOCATION [ IF NOT EXISTS ] <location_name> WITH
  SOURCE = { AMAZON_S3 | ICEBERG }
  [ , ... ]

-- Amazon S3 Location
CREATE LOCATION [ IF NOT EXISTS ] <location_name> WITH
  SOURCE = AMAZON_S3
  CREDENTIALS = {
    ( AWS_ACCESS_KEY_ID = '<aws_access_key_id>'
      AWS_SECRET_ACCESS_KEY = '<aws_secret_access_key>'
      [ AWS_SESSION_TOKEN = '<aws_session_token>' ] )
    |
    ( AWS_ROLE_ARN = '<aws_role_arn>'
      [ AWS_ROLE_EXTERNAL_ID = '<aws_role_external_id>' ] )
  }
  URL = '<url>'
  [ DESCRIPTION = '<description>' ]

-- Iceberg Location
CREATE LOCATION [ IF NOT EXISTS ] <location_name> WITH
  SOURCE = ICEBERG
  CATALOG = { FILE_BASED | REST | DATABRICKS_UNITY }
  CATALOG_OPTIONS = {
    -- FILE_BASED
    ( URL = '<file_based_catalog_url>' )
    |
    -- REST
    ( URL = '<rest_catalog_url>'
      WAREHOUSE = '<warehouse>'
      NAMESPACE = '<namespace>'
      TABLE = '<table_name>' )
    |
    -- DATABRICKS_UNITY
    ( WORKSPACE_INSTANCE = '<workspace_instance>'
      CATALOG = '<uc_catalog_name>'
      SCHEMA = '<uc_schema_name>'
      TABLE = '<uc_table_name>' )
  }
  CREDENTIALS = {
    -- AWS Authentication
    ( AWS_ACCESS_KEY_ID = '<aws_access_key_id>'
      AWS_SECRET_ACCESS_KEY = '<aws_secret_access_key>'
      [ AWS_SESSION_TOKEN = '<aws_session_token>' ] )
    |
    ( AWS_ROLE_ARN = '<aws_role_arn>'
      [ AWS_ROLE_EXTERNAL_ID = '<aws_role_external_id>' ] )
    |
    -- OAuth Authentication
    ( OAUTH_CLIENT_ID = '<oauth_client_id>'
      OAUTH_CLIENT_SECRET = '<oauth_client_secret>'
      [ OAUTH_SCOPE = '<oauth_scope>' ]
      [ OAUTH_SERVER_URL = '<oauth_server_url>' ] )
  }
  [ DESCRIPTION = '<description>' ]

Parameters

Common Parameters

ParameterDescription
<location_name>A unique identifier for the location within your account.
SOURCEThe external data source type. Currently, AMAZON_S3 (See CREATE LOCATION (Amazon S3)) and ICEBERG (See CREATE LOCATION (Iceberg)) are supported.
DESCRIPTIONOptional metadata describing the location’s purpose.

Amazon S3 Parameters

ParameterDescription
CREDENTIALSAuthentication credentials for Amazon S3 access.
URLThe data source URL in the format: s3://{bucket_name}/{path}. This must be a valid S3 URL.

Iceberg Parameters

ParameterDescription
CATALOGThe type of Iceberg catalog. Supported values: FILE_BASED, REST, or DATABRICKS_UNITY.
CATALOG_OPTIONSConfiguration options specific to the chosen catalog type.
CREDENTIALSAuthentication credentials for accessing the Iceberg catalog. Depending on the type of catalog, either AWS or OAuth credentials are used.

AWS Authentication Parameters

ParameterDescription
AWS_ACCESS_KEY_IDYour AWS access key ID for key-based authentication.
AWS_SECRET_ACCESS_KEYYour AWS secret access key for key-based authentication.
AWS_SESSION_TOKENOptional temporary session token for temporary credentials.
AWS_ROLE_ARNThe ARN of the IAM role to assume for role-based authentication.
AWS_ROLE_EXTERNAL_IDOptional external ID for role assumption.

OAuth Authentication Parameters

ParameterDescription
OAUTH_CLIENT_IDThe OAuth client ID for authentication.
OAUTH_CLIENT_SECRETThe OAuth client secret for authentication.
OAUTH_SCOPEOptional OAuth scope for authentication.
OAUTH_SERVER_URLOptional OAuth server URL for authentication.

Iceberg Catalog-Specific Parameters

FILE_BASED Catalog
ParameterDescription
URLThe URL for the file-based catalog.
REST Catalog
ParameterDescription
URLThe REST catalog URL.
WAREHOUSEThe warehouse identifier.
NAMESPACEThe namespace identifier.
TABLEThe table name.
DATABRICKS_UNITY Catalog
ParameterDescription
WORKSPACE_INSTANCEThe Databricks workspace instance.
CATALOGThe Unity Catalog name.
SCHEMAThe Unity Catalog schema name.
TABLEThe Unity Catalog table name.

Examples

Create a location

The following code example creates a location that uses keys to authenticate to AWS:

CREATE LOCATION my_location WITH
  SOURCE = AMAZON_S3
  CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' )
  URL = 's3://my-bucket/path/to/data'

Create a location with a description

The following code example creates a location object named my_location, for an Amazon S3 data source with the specified URL and description:

CREATE LOCATION my_location WITH
  SOURCE = AMAZON_S3
  CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' )
  URL = 's3://my-bucket/path/to/data'
  DESCRIPTION = 'Main data storage location'

Create a location only if it doesn’t exist

The following code example uses an access key to authenticate to AWS using a location only if it doesn’t already exist:

CREATE LOCATION IF NOT EXISTS my_location WITH
  SOURCE = AMAZON_S3
  CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' )
  URL = 's3://my-bucket/path/to/data'

Use a location to load data into an external table

The following code example creates an external table my_ext_table that uses a previously created location my_location to load Parquet data files matching the *.parquet pattern from Amazon S3:

CREATE EXTERNAL TABLE my_ext_table (
  c_id    INT,
  c_name  TEXT
)
LOCATION = my_location
OBJECT_PATTERN = '*.parquet'
TYPE = PARQUET

For more information about using locations in external tables, see CREATE EXTERNAL TABLE.

Use a location to load data using COPY statements

The following code example uses COPY FROM to load Parquet data files matching the *.parquet pattern from my_location into my_table:

COPY INTO my_table
FROM my_location
WITH
  OBJECT_PATTERN = '*.parquet'
  TYPE = PARQUET

For more information, see COPY TO and COPY FROM.

Use a LOCATION to load data with a TVF

You can use LOCATION to load data using table-valued functions (TVFs) such as READ_CSV, READ_PARQUET, and LIST_OBJECTS.

The following code example uses READ_CSV to query data from a CSV file stored in my_location, using the first row as headers for column names:

SELECT * FROM READ_CSV(
  location => my_location,
  header => TRUE
)

Alter a location

Firebolt does not yet support altering a location that has been created. This feature will be available in a future release.

Delete a location

You can use DROP LOCATION to remove a location from your Firebolt account.

The following code example deletes a LOCATION from your Firbolt account:

DROP LOCATION [IF EXISTS] <location_name> [WITH FORCE]

Deleting a location will affect all objects that depend on the LOCATION that you are dropping.

Notes

  • All identifiers are case-insensitive unless enclosed in double-quotes
  • Locations cannot be created on the system engine
  • For more information about object identifiers, see Object identifiers

Error Handling

The system uses secure error handling for location objects:

  • Generic error messages ensure security by not exposing sensitive information.
  • Detailed error information is only available to users with the necessary permissions.
  • Users without the required permissions are provided with instructions to contact an administrator.

Best Practices

  1. Use location objects instead of embedding credentials directly in queries or table definitions.
  2. Regularly rotate credentials stored in location objects.
  3. Follow the principle of least privilege when assigning permissions.
  4. Use clear and descriptive names and descriptions for location objects.
  5. Keep a record of dependencies before removing any location objects.

Limitations

  • The DROP CASCADE functionality is not supported.
  • The source type cannot be modified for existing location objects.
  • Location objects cannot be used alongside inline credentials in the same statement.
  • Historical versions of credentials are not maintained.