Aug 13, 2024

GPT Actions library - Snowflake Direct

Open in Github

This particular GPT Action provides an overview of how to connect to a Snowflake Data Warehouse. This Action takes a user’s question, scans the relevant tables to gather the data schema, then writes a SQL query to answer the user’s question.

Note: This cookbook returns back a ResultSet SQL statement, rather than the full result that is not limited by GPT Actions application/json payload limit. For production and advanced use-case, a middleware is required to return back a CSV file. You can follow instructions in the GPT Actions - Snowflake Middleware cookbook to implement this flow instead.

Value: Users can now leverage ChatGPT's natural language capability to connect directly to Snowflake’s Data Warehouse.

Example Use Cases:

  • Data scientists can connect to tables and run data analyses using ChatGPT's Data Analysis
  • Citizen data users can ask basic questions of their transactional data
  • Users gain more visibility into their data & potential anomalies

Before you get started, make sure you go through the following steps in your application environment:

  • Provision a Snowflake Data Warehouse
  • Ensure that the user authenticating into Snowflake via ChatGPT has access to the database, schemas, and tables with the necessary role
**Context**: You are an expert at writing Snowflake SQL queries. A user is going to ask you a question. 

**Instructions**:
1. No matter the user's question, start by running `runQuery` operation using this query: "SELECT column_name, table_name, data_type, comment FROM {database}.INFORMATION_SCHEMA.COLUMNS" 
-- Assume warehouse = "<insert your default warehouse here>", database = "<insert your default database here>", unless the user provides different values 
2. Convert the user's question into a SQL statement that leverages the step above and run the `runQuery` operation on that SQL statement to confirm the query works. Add a limit of 100 rows
3. Now remove the limit of 100 rows and return back the query for the user to see
4. Use the <your_role> role when querying Snowflake
5. Run each step in sequence. Explain what you are doing in a few sentences, run the action, and then explain what you learned. This will help the user understand the reason behind your workflow. 

**Additional Notes**: If the user says "Let's get started", explain that the user can provide a project or dataset, along with a question they want answered. If the user has no ideas, suggest that we have a sample flights dataset they can query - ask if they want you to query that

OpenAPI Schema

Once you've created a Custom GPT, copy the text below in the Actions panel. Update the servers url to match your Snowflake Account Name url plus /api/v2 as described here. Have questions? Check out Getting Started Example to see how this step works in more detail.

openapi: 3.1.0
info:
  title: Snowflake Statements API
  version: 1.0.0
  description: API for executing statements in Snowflake with specific warehouse and role settings.
servers:
  - url: 'https://<orgname>-<account_name>.snowflakecomputing.com/api/v2'


paths:
  /statements:
    post:
      summary: Execute a SQL statement in Snowflake
      description: This endpoint allows users to execute a SQL statement in Snowflake, specifying the warehouse and roles to use.
      operationId: runQuery
      tags:
        - Statements
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                warehouse:
                  type: string
                  description: The name of the Snowflake warehouse to use for the statement execution.
                role:
                  type: string
                  description: The Snowflake role to assume for the statement execution.
                statement:
                  type: string
                  description: The SQL statement to execute.
              required:
                - warehouse
                - role
                - statement
      responses:
        '200':
          description: Successful execution of the SQL statement.
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                  data:
                    type: object
                    additionalProperties: true
        '400':
          description: Bad request, e.g., invalid SQL statement or missing parameters.
        '401':
          description: Authentication error, invalid API credentials.
        '500':
          description: Internal server error.

Below are instructions on setting up authentication with this 3rd party application. Have questions? Check out Getting Started Example to see how this step works in more detail.

Before you set up authentication in ChatGPT, please take the following steps in Snowflake.

1. Optional: Configure IP Whitelisting for ChatGPT

Snowflake accounts with network policies that limit connections by IP, may require exceptions to be added for ChatGPT.

  • Review the Snowflake documentation on Network Policies
  • Go to the Snowflake Worksheets
  • Create a network rule with the ChatGPT IP egress ranges listed here
  • Create a corresponding Network Policy
## Example with ChatGPT IPs as of October 23, 2024
## Make sure to get the current IP ranges from https://platform.openai.com/docs/actions/production
CREATE NETWORK RULE chatgpt_network_rule
  MODE = INGRESS
  TYPE = IPV4
  VALUE_LIST = ('23.102.140.112/28',
                '13.66.11.96/28',
                '104.210.133.240/28',
                '70.37.60.192/28',
                '20.97.188.144/28',
                '20.161.76.48/28',
                '52.234.32.208/28',
                '52.156.132.32/28',
                '40.84.220.192/28',
                '23.98.178.64/28',
                '51.8.155.32/28',
                '20.246.77.240/28',
                '172.178.141.0/28',
                '172.178.141.192/28',
                '40.84.180.128/28');

CREATE NETWORK POLICY chatgpt_network_policy
  ALLOWED_NETWORK_RULE_LIST = ('chatgpt_network_rule');

Network policies can be applied at the account, security integration, and user level. The most specific network policy overrides the more general network policies. Depending on how these policies are applied, you may need to alter the policies for individual users in addition to the security integration. If you face this issue, you may encounter Snowflake's error code 390422.

CREATE SECURITY INTEGRATION CHATGPT_INTEGRATION
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://oauth.pstmn.io/v1/callback' --- // this is a temporary value while testing your integration. You will replace this with the value your GPT provides
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000
  NETWORK_POLICY = chatgpt_network_policy; --- // this line should only be included if you followed step 1 above
  • Retrieve your OAuth Client ID, Auth URL, and Token URL
DESCRIBE SECURITY INTEGRATION CHATGPT_INTEGRATION;

You’ll find the required information in these 3 columns:

../../../images/snowflake_direct_oauth.png

  • Retrieve your OAuth Client Secret using SHOW_OAUTH_CLIENT_SECRETS
SELECT 
trim(parse_json(SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('CHATGPT_INTEGRATION')):OAUTH_CLIENT_ID) AS OAUTH_CLIENT_ID
, trim(parse_json(SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('CHATGPT_INTEGRATION')):OAUTH_CLIENT_SECRET) AS OAUTH_CLIENT_SECRET;

In ChatGPT, click on "Authentication" and choose "OAuth". Enter in the information below.

Form FieldValue
Authentication TypeOAuth
Client IDOAUTH_CLIENT_ID from SHOW_OAUTH_CLIENT_SECRETS
Client SecretOAUTH_CLIENT_SECRET from SHOW_OAUTH_CLIENT_SECRETS
Authorization URLOAUTH_AUTHORIZATION_ENDPOINT from DESCRIBE SECURITY INTEGRATION
Token URLOAUTH_TOKEN_ENDPOINT from DESCRIBE SECURITY INTEGRATION
Scopesession:role:your_role*
Token Exchange MethodDefault (POST Request)

*Snowflake scopes pass the role in the format session:role:<your_role> for example session:role:CHATGPT_INTEGRATION_ROLE. It's possible to leave this empty and specify the role in the instructions, but by adding it here it becomes included in OAuth Consent Request which can sometimes be more reliable.

Once you've set up authentication in ChatGPT, follow the steps below in the application to finalize the Action.

  • Copy the callback URL from the GPT Action
  • Update the Redirect URI in your Security Integration to the callback URL provided in ChatGPT.
ALTER SECURITY INTEGRATION CHATGPT_INTEGRATION SET OAUTH_REDIRECT_URI='https://chat.openai.com/aip/<callback_id>/oauth/callback';
  • This guide is intended to illustrate general concepts and is provided for reference purposes only. We are unable to provide full support for the third party API integration.
  • The callback url can change if you update the YAML, double check it is correct when making changes.
  • Callback URL Error: If you get a callback URL error in ChatGPT, pay close attention to the Post-Action Steps above. You need to add the callback URL directly into your Security Integration for the action to authenticate correctly
  • Schema calls the wrong warehouse or database: If ChatGPT calls the wrong warehouse or database, consider updating your instructions to make it more explicit either (a) which warehouse / database should be called or (b) to require the user provide those exact details before it runs the query

Are there integrations that you’d like us to prioritize? Are there errors in our integrations? File a PR or issue in our github, and we’ll take a look.