> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.firebolt.io/feedback
```json
{
"path": "/reference-sql/commands/data-definition/create-location-iceberg",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
> Reference and syntax for creating Iceberg locations.
# CREATE LOCATION (Iceberg)
Creates a new location object in your Firebolt account, which is a secure, reusable object that stores the connection details and credentials for Iceberg data sources. Instead of entering these details each time you run a query or create a table, you can use a location object.
This document captures specific and examples for location objects for Iceberg. For a comprehensive guide to LOCATION objects, see [LOCATION objects](/guides/security/location). For more on location objects syntax in general, see [CREATE LOCATION](/reference-sql/commands/data-definition/create-location).
Iceberg locations currently support four catalog types: `REST`, `FILE_BASED`, `DATABRICKS_UNITY` (as syntactic sugar on top of `REST`), and `AWS_GLUE`. Each catalog accepts a different set of parameters and credentials.
**Topics:**
* [Syntax](#syntax)
* [Parameters](#parameters)
* [Examples](#examples)
## Syntax
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION [ IF NOT EXISTS ] WITH
SOURCE = ICEBERG
CATALOG = { FILE_BASED | REST | DATABRICKS_UNITY | AWS_GLUE }
CATALOG_OPTIONS = {
-- FILE_BASED
( URL = '' )
|
-- REST
( URL = ''
WAREHOUSE = ''
[ NAMESPACE = '' ]
[ TABLE = '' ] )
|
-- DATABRICKS_UNITY
( WORKSPACE_INSTANCE = ''
CATALOG = ''
SCHEMA = ''
TABLE = '' )
|
-- AWS_GLUE
( URL = ''
CATALOG_ID = ''
[ DATABASE = '' ]
[ TABLE = '' ] )
}
CREDENTIALS = {
-- AWS Authentication
( AWS_ACCESS_KEY_ID = ''
AWS_SECRET_ACCESS_KEY = ''
[ AWS_SESSION_TOKEN = '' ] )
|
( AWS_ROLE_ARN = ''
[ AWS_ROLE_EXTERNAL_ID = '' ] )
|
-- OAuth Authentication
( OAUTH_CLIENT_ID = ''
OAUTH_CLIENT_SECRET = ''
[ OAUTH_SCOPE = '' ]
[ OAUTH_SERVER_URL = '' ] )
|
( BEARER_TOKEN = '' )
}
[ DESCRIPTION = '' ]
```
## Parameters
### Common Parameters
| Parameter | Description |
| :---------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `` | A unique identifier for the location within your account. |
| `SOURCE` | The external data source type. Currently, `CLOUD_STORAGE` and `ICEBERG` are supported. Additionally, `AMAZON_S3` is supported as an alias for `CLOUD_STORAGE` with an S3 URL. This should be `ICEBERG` for Iceberg locations. |
| `DESCRIPTION` | Optional metadata describing the location's purpose. |
### Iceberg Parameters
| Parameter | Description |
| :---------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
| `CATALOG` | The type of Iceberg catalog. Supported values: `FILE_BASED`, `REST`, `DATABRICKS_UNITY`, or `AWS_GLUE`. |
| `CATALOG_OPTIONS` | Configuration options specific to the chosen catalog type. |
| `CREDENTIALS` | Authentication credentials for accessing the Iceberg catalog. Depending on the type of catalog, either AWS or OAuth credentials are used. |
#### AWS Authentication Parameters
Use AWS authentication parameters for `FILE_BASED` and `AWS_GLUE` catalogs.
| Parameter | Description |
| :---------------------- | :--------------------------------------------------------------- |
| `AWS_ACCESS_KEY_ID` | Your AWS access key ID for key-based authentication. |
| `AWS_SECRET_ACCESS_KEY` | Your AWS secret access key for key-based authentication. |
| `AWS_SESSION_TOKEN` | Optional temporary session token for temporary credentials. |
| `AWS_ROLE_ARN` | The ARN of the IAM role to assume for role-based authentication. |
| `AWS_ROLE_EXTERNAL_ID` | Optional external ID for role assumption. |
#### OAuth Authentication Parameters
Use OAuth authentication parameters for `REST` or `DATABRICKS_UNITY` catalogs.
| Parameter | Description | |
| :-------------------- | :------------------------------------------------------------------------------------ | ------ |
| `OAUTH_CLIENT_ID` | The OAuth client ID for authentication. | |
| `OAUTH_CLIENT_SECRET` | The OAuth client secret for authentication. | |
| `OAUTH_SCOPE` | Optional OAuth scope for authentication. | |
| `OAUTH_SERVER_URL` | Optional OAuth server URL for authentication. | |
| `BEARER_TOKEN` | OAuth bearer token for authentication. Only supported for `DATABRICKS_UNITY` catalog. | `TEXT` |
#### Iceberg Catalog-Specific Parameters
##### FILE\_BASED Catalog
| Parameter | Description |
| :-------- | :--------------------------------------------------------------- |
| `URL` | The URL for the file-based catalog. This must be a valid S3 URL. |
##### REST Catalog
| Parameter | Description |
| :---------- | :------------------------ |
| `URL` | The REST catalog URL. |
| `WAREHOUSE` | The warehouse identifier. |
| `NAMESPACE` | The namespace identifier. |
| `TABLE` | The table name. |
##### DATABRICKS\_UNITY Catalog
| Parameter | Description |
| :------------------- | :--------------------------------- |
| `WORKSPACE_INSTANCE` | The Databricks workspace instance. |
| `CATALOG` | The Unity Catalog name. |
| `SCHEMA` | The Unity Catalog schema name. |
| `TABLE` | The Unity Catalog table name. |
##### AWS\_GLUE Catalog
| Parameter | Description |
| :----------- | :---------------------------------------------------------------------------------------------------------------------------- |
| `URL` | The AWS Glue endpoint URL. Format: `https://glue..amazonaws.com/iceberg` |
| `CATALOG_ID` | The AWS Glue catalog ID. Must be the default catalog for your account. Nested and named catalogs are not currently supported. |
| `DATABASE` | The AWS Glue database name. |
| `TABLE` | The AWS Glue table name. |
## Examples
**Simplify queries with views.** You can wrap `READ_ICEBERG` calls in a [view](/reference-sql/commands/data-definition/create-view) so that Iceberg tables can be queried like regular tables. See [Simplifying queries with views](/reference-sql/functions-reference/iceberg/read_iceberg#simplifying-queries-with-views) for examples.
### File-based catalog
Used to access Iceberg tables directly from S3.
For file-based Iceberg catalogs, use AWS key-based or role-based authentication in `CREDENTIALS`.
**With access key and secret:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = FILE_BASED
CATALOG_OPTIONS = (
URL = 's3://my-bucket/path/to/iceberg/table'
)
CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
**With access key, secret, and session token:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = FILE_BASED
CATALOG_OPTIONS = (
URL = 's3://my-bucket/path/to/iceberg/table'
)
CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' AWS_SESSION_TOKEN = 'session-token' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
**With role:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = FILE_BASED
CATALOG_OPTIONS = (
URL = 's3://my-bucket/path/to/iceberg/table'
)
CREDENTIALS = ( AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/S3Access' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
**With role and external id:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = FILE_BASED
CATALOG_OPTIONS = (
URL = 's3://my-bucket/path/to/iceberg/table'
)
CREDENTIALS = ( AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/S3Access' AWS_ROLE_EXTERNAL_ID = 'my-external-id' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
### REST catalog
Used to access Iceberg in REST catalogs, that implement the [Iceberg REST API spec](https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml).
For generic REST Iceberg catalogs, use OAuth parameters for `CREDENTIALS`.
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = REST
CATALOG_OPTIONS = (
URL = 'https://my-iceberg-rest-catalog/api'
WAREHOUSE = 'my_warehouse'
NAMESPACE = 'my_namespace'
TABLE = 'my_table_name'
)
CREDENTIALS = (
OAUTH_CLIENT_ID = '00000000-0000-0000-0000-000000000000'
OAUTH_CLIENT_SECRET = '1234'
OAUTH_SCOPE = 'example_permission:all'
-- OAUTH_SERVER_URL is only needed for REST catalogs that don't support the /v1/oauth/tokens endpoint. If /v1/oauth/tokens is supported, it can be omitted.
OAUTH_SERVER_URL = 'https://my-iceberg-rest-catalog/example/token'
);
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
### Databricks Unity Catalog
Used to access Iceberg tables in a Databricks Unity Catalog. Offered as syntactic sugar on top of `CATALOG = REST`, for users who may be more familiar with Databricks Unity Catalog terminology.
For configuring Unity Catalog in your Databricks workspace, see [Databricks - Set up and manage Unity Catalog](https://docs.databricks.com/aws/en/data-governance/unity-catalog/get-started). Note that you will need to enable credential vending in your Unity Catalog, see [Databricks - Unity Catalog credential vending for external system access](https://docs.databricks.com/aws/en/external-access/credential-vending).
For general information about reading Databricks tables from Iceberg clients, see [Databricks - Read Databricks tables from Iceberg clients](https://docs.databricks.com/gcp/en/external-access/iceberg).
For Databricks Unity Catalogs, use OAuth parameters for `CREDENTIALS`.
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = DATABRICKS_UNITY
CATALOG_OPTIONS = (
WORKSPACE_INSTANCE = '000-0000000000000.cloud.databricks.com'
CATALOG = 'my_uc_catalog_name'
SCHEMA = 'my_uc_schema_name'
TABLE = 'my_uc_table_name'
)
CREDENTIALS = (
OAUTH_CLIENT_ID = '00000000-0000-0000-0000-000000000000'
OAUTH_CLIENT_SECRET = '1234'
-- OAUTH_SCOPE and OAUTH_SERVER_URL are not needed
);
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
If you're using a PAT [Databricks - Authenticate with Databricks personal access tokens (legacy)](https://docs.databricks.com/aws/en/dev-tools/auth/pat), you can pass it via the `BEARER_TOKEN` parameter.
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = DATABRICKS_UNITY
CATALOG_OPTIONS = (
WORKSPACE_INSTANCE = '000-0000000000000.cloud.databricks.com'
CATALOG = 'my_uc_catalog_name'
SCHEMA = 'my_uc_schema_name'
TABLE = 'my_uc_table_name'
)
CREDENTIALS = (
BEARER_TOKEN = '1234abcd'
-- No OAUTH_ parameters are needed
);
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
### Snowflake Open catalog (as a generic REST catalog)
Iceberg tables in Snowflake Open Catalog can currently be read by using a `LOCATION` with `CATALOG = REST`.
For setting up a Snowflake Open Catalog in your account, see [Snowflake - Snowflake Open Catalog overview](https://other-docs.snowflake.com/en/opencatalog/overview). Note that you will need to enable credential vending for your Iceberg tables, see [Snowflake - Use catalog-vended credentials for Apache Iceberg™ tables](https://docs.snowflake.com/en/user-guide/tables-iceberg-configure-catalog-integration-vended-credentials).
For general information about reading Snowflake Open Catalog tables from Iceberg clients, see [Snowflake - Checking your REST catalog configuration](https://docs.snowflake.com/en/user-guide/tables-iceberg-configure-catalog-integration-rest-check-config).
For Snowflake Open catalogs, use OAuth parameters for `CREDENTIALS`.
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = REST
CATALOG_OPTIONS = (
URL = 'https://abc123.us-west-2.aws.myapi.com/polaris/api/catalog'
WAREHOUSE = 'my_warehouse'
NAMESPACE = 'my_catalog_name'
TABLE = 'my_table_name'
)
CREDENTIALS = (
OAUTH_CLIENT_ID = '00000000-0000-0000-0000-000000000000'
OAUTH_CLIENT_SECRET = '1234'
OAUTH_SCOPE = 'PRINCIPAL_ROLE:ALL'
-- OAUTH_SERVER_URL is not needed
);
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
### AWS Glue catalog
Used to access Iceberg tables in AWS Glue Data Catalog.
**With access key and secret:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = AWS_GLUE
CATALOG_OPTIONS = (
URL = 'https://glue.us-east-1.amazonaws.com/iceberg'
CATALOG_ID = '123456789123'
DATABASE = 'my_database'
TABLE = 'my_table'
)
CREDENTIALS = ( AWS_ACCESS_KEY_ID = '1231' AWS_SECRET_ACCESS_KEY = '567' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
**With role:**
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION my_location
WITH
SOURCE = ICEBERG
CATALOG = AWS_GLUE
CATALOG_OPTIONS = (
URL = 'https://glue.us-east-1.amazonaws.com/iceberg'
CATALOG_ID = '123456789123'
DATABASE = 'my_database'
TABLE = 'my_table'
)
CREDENTIALS = ( AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/GlueAccess' );
SELECT * FROM READ_ICEBERG(LOCATION => 'my_location') LIMIT 5;
```
Your IAM credentials must have the following permissions:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGlueCatalogTableAccess",
"Effect": "Allow",
"Action": [
"glue:GetCatalog",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:{catalog_id}:table/*/*",
"arn:aws:glue:*:{catalog_id}:catalog",
"arn:aws:glue:*:{catalog_id}:database/{database_name}"
]
}
]
}
```
Your IAM credentials must also have permissions to access the underlying S3 storage. See [Use AWS roles to access S3](/guides/loading-data/configuring-aws-role-to-access-amazon-s3) for details. (Note that this may not be needed if you are using Lake Formation to manage access.)
**(Optional) Lake Formation**
If you use Lake Formation for access control, you'll need to grant your IAM credentials permissions to Lake Formation, and register the underlying S3 location with Lake Formation:
Your IAM credentials will need the `GetDataAccess` permission - see [AWS Lake Formation: Underlying data access control](https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html).
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lakeformation:GetDataAccess",
"Resource": "*"
}
]
}
```
You'll need to register your underlying S3 storage location with Lake Formation - see [AWS Lake Formation: Adding an Amazon S3 location to your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/register-data-lake.html).
If you want Lake Formation to vend temporary credentials to access your underlying storage, you will need to configure Lake Formation to allow Firebolt's external engine to access data in your S3 - see [AWS Lake Formation: Application integration for full table access](https://docs.aws.amazon.com/lake-formation/latest/dg/full-table-credential-vending.html).
If credential vending is enabled, it is recommended to *not* grant your IAM credentials access to your underlying S3 storage. This helps ensure that any storage access is using the vended credentials only.