diff --git a/sceptre/synapseprod/config/prod/snowflake-access.yaml b/sceptre/synapseprod/config/prod/snowflake-access.yaml
new file mode 100644
index 00000000..6893a6d1
--- /dev/null
+++ b/sceptre/synapseprod/config/prod/snowflake-access.yaml
@@ -0,0 +1,6 @@
+template:
+  path: snowflake-access.yaml
+stack_name: snowflake-accesss
+parameters:
+  SnowflakeAccountArn: !ssm /infra/SnowflakeAccountArn
+  SnowflakeAccountExternalId: !ssm /infra/SnowflakeAccountExternalId
\ No newline at end of file
diff --git a/sceptre/synapseprod/templates/snowflake-access.yaml b/sceptre/synapseprod/templates/snowflake-access.yaml
new file mode 100644
index 00000000..3189ed86
--- /dev/null
+++ b/sceptre/synapseprod/templates/snowflake-access.yaml
@@ -0,0 +1,61 @@
+Description: Setup cross account IAM access.  Give user in another AWS account access to resources.
+AWSTemplateFormatVersion: 2010-09-09
+Parameters:
+  SnowflakeAccountArn:
+    Type: String
+  SnowflakeAccountExternalId:
+    Type: String
+Resources:
+  SnowflakeServicePolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      PolicyDocument: |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Effect": "Allow",
+                  "Action": [
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": "arn:aws:s3:::prod.datawarehouse.sagebase.org/warehouse/*"
+              },
+              {
+                  "Effect": "Allow",
+                  "Action": [
+                      "s3:ListBucket",
+                      "s3:GetBucketLocation"
+                  ],
+                  "Resource": "arn:aws:s3:::prod.datawarehouse.sagebase.org",
+                  "Condition": {
+                      "StringLike": {
+                        "s3:prefix": [ "warehouse/*" ]                            
+                      }
+                  }
+              }
+          ]
+        }
+  SnowflakeServiceRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      Path: "/"
+      ManagedPolicyArns:
+        - !Ref SnowflakeServicePolicy
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Sub ${SnowflakeAccountArn}
+            Action:
+              - sts:AssumeRole
+              - sts:TagSession
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Sub ${SnowflakeAccountExternalId}
+Outputs:
+  SnowflakeServiceRoleArn:
+    Value: !GetAtt SnowflakeServiceRole.Arn
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-SnowflakeServiceRoleArn'