Snowflake Extraction Error: Failure using stage area; Cause: Access Denied (Status Code: 403; Error Code: AccessDenied)

Problem

A message similar to the following one appears in the Snowflake extractor log. 

### Error querying database.  Cause: net.snowflake.client.jdbc.SnowflakeSQLException: Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]
### The error may exist in file [/var/lib/jenkins/workspace/Connector Snowflake/manta-connector-snowflake-dictionary-extractor/target/classes/eu/profinit/manta/connector/snowflake/dictionary/extractor/mappers/information_schema/StageMapper.xml]
### The error may involve defaultParameterMap
### The error occurred while setting parameters
### SQL: LIST @"automated_test"."manta"."EXSTAGE1"
### Cause: net.snowflake.client.jdbc.SnowflakeSQLException: Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]
; Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]; nested exception is net.snowflake.client.jdbc.SnowflakeSQLException: Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]
    at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.doTranslate(SQLStateSQLExceptionTranslator.java:104)
        ...
Caused by: net.snowflake.client.jdbc.SnowflakeSQLException: Failure using stage area. Cause: [Access Denied (Status Code: 403; Error Code: AccessDenied)]
    ... 44 more

More Details

This error occurs under two circumstances.

  1. When the extractor encounters an unpaired external stage. If an external stage is unpaired, this means it is not correctly paired with any cloud server; for example, incorrect or expired security credentials are used for authorization on the cloud server.
    Amazon S3 example:

    create or replace stage my_s3_stage url='s3://mybucket/encrypted_files/'
  credentials=(aws_key_id='1a2b3c' aws_secret_key='4x5y6z'); //credentials must be correct for successful pairing

    In the example, we can see the definition of the S3 external stage. Both aws_key_id and aws_secret_key must be correct to get a paired external stage. Similar behavior could probably occur with GCS and Azure external stages, but the behavior has not been tested.

  2. If this error persists, even though the security credentials are correct, it means that the logged-in user does not have privileges to read from the cloud server. In Amazon S3, the user needs AmazonS3ReadOnlyAccess.

Unpaired stages are skipped.

Solution

  1. Validate whether the stage is correctly paired; validate that the user credentials are correct.

  2. Validate the Amazon S3 access permissions for the user owning the stage.