What causes STAGE_ACCESS_DENIED?

The IAM role or storage integration's trust relationship was modified, removing Snowflake's external ID from the trusted principals. The S3 bucket policy or GCS bucket ACL was tightened to block the Snowflake storage integration's IAM role ARN. The external stage credentials (ACCESS_KEY_ID, SECRET_ACCESS_KEY) were rotated in the cloud provider but not updated in Snowflake

How do I fix STAGE_ACCESS_DENIED?

Step 1: Determine whether the stage uses a storage integration or direct credentials: DESCRIBE STAGE — look for the STORAGE_AWS_ROLE_ARN or credentials field.. Step 2: For storage integrations, run DESC INTEGRATION and verify that STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID are still present in the cloud IAM role's trust policy.. Step 3: For credential-based stages, check that the access key and secret stored in the stage definition are still valid and have the required s3:GetObject / storage.objects.get permissions.. Step 4: Use LIST @ as a quick connectivity test — a successful listing confirms the credentials are working.

High severitypermission

Power BI Refresh Error:
STAGE_ACCESS_DENIED

What does this error mean?

A Snowflake COPY INTO, GET, or PUT operation failed because Snowflake could not access the external cloud storage location (S3, GCS, or Azure Blob) referenced by the external stage due to a credential or permission error.

Common causes

1The IAM role or storage integration's trust relationship was modified, removing Snowflake's external ID from the trusted principals
2The S3 bucket policy or GCS bucket ACL was tightened to block the Snowflake storage integration's IAM role ARN
3The external stage credentials (ACCESS_KEY_ID, SECRET_ACCESS_KEY) were rotated in the cloud provider but not updated in Snowflake

How to fix it

1Step 1: Determine whether the stage uses a storage integration or direct credentials: DESCRIBE STAGE <name> — look for the STORAGE_AWS_ROLE_ARN or credentials field.
2Step 2: For storage integrations, run DESC INTEGRATION <name> and verify that STORAGE_AWS_IAM_USER_ARN and STORAGE_AWS_EXTERNAL_ID are still present in the cloud IAM role's trust policy.
3Step 3: For credential-based stages, check that the access key and secret stored in the stage definition are still valid and have the required s3:GetObject / storage.objects.get permissions.
4Step 4: Use LIST @<stage_name> as a quick connectivity test — a successful listing confirms the credentials are working.

Frequently asked questions

How often do external stage credentials need to be rotated?

Storage integrations using IAM roles do not expire, but key-based credentials should be rotated per your organization's secret rotation policy. Snowflake does not automatically warn you when stored access keys are rotated externally.

Can I test stage access without running a full COPY?

Yes. LIST @<stage_name> or SELECT METADATA$FILENAME FROM @<stage_name> are lightweight tests that validate connectivity and permissions without loading any data.