search

Snowflake-Labs / sfguide-getting-started-with-cortex-analyst

Apache License 2.0
34 stars 41 forks source link

Cortex Analyst: Issues with Authentication? #4

Open mau-dra opened 1 week ago

mau-dra commented 1 week ago

Hi all,

I'm trying to follow your example to set up Cortex Analyst on a streamlit app and was initially able to get results but after Nov 12, I'm getting a new error. "Unauthorized to call Cortex Analyst"

Screenshot 2024-11-13 at 2 29 30 PM

this is what it looked like before: Screenshot 2024-11-08 at 4 58 31 PM

I'm using the code from https://github.com/Snowflake-Labs/sfguide-getting-started-with-cortex-analyst/blob/4faa4cc5e4d13022a0b9aa8cd53add9b97da5f22/cortex_analyst_sis_demo_app.py#L150

    resp = _snowflake.send_snow_api_request(
        "POST",  # method
        API_ENDPOINT,  # path
        {},  # headers
        {},  # params
        request_body,  # body
        None,  # request_guid
        API_TIMEOUT,  # timeout in milliseconds
    )

My app is being deployed in development mode to snowflake.

From reading the code in this repo, I'm under the impression that the code above should include authentication under the hood, else the examples here wouldn't work.

Additionally, I went ahead and attempted to fetch from the api outside of snowflake / streamlit by using the following code:

    resp = requests.post(
        url=f"https://{host}/api/v2/cortex/analyst/message",
        json=request_body,
        headers={
            "Authorization": f"Bearer {token}",
            "Content-Type": "application/json",
            "X-Snowflake-Authorization-Token-Type": "KEYPAIR_JWT",
        },
    )

where host is the https://{account_identifier}.snowflakecomputing.com and I got a successful response.

I attempted to pass in the same headers to the _snowflake.send_snow_api_request but kept getting the same Unauthorized to call Cortex Analyst response.

Please let me know a good way to interact with the Cortex Analyst api within Snowflake / Streamlit.

Mauricio

sfc-gh-vvenugopal commented 1 week ago

Hi @mau-dra, you need to use a role that has the SNOWFLAKE.CORTEX_USER role granted as detailed here: https://docs.snowflake.com/en/user-guide/snowflake-cortex/cortex-analyst#access-control-requirements

By default, this role is granted to all accounts, but your accountadmin may have implemented more fine-grained access control for this.

mau-dra commented 1 week ago

hi @sfc-gh-vvenugopal

I did ensure I added the right permissions, below are the sql queries I ran to create a role and grant required permissions:

CREATE OR REPLACE ROLE CORTEX_ANALYST;
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE CORTEX_ANALYST;
GRANT USAGE ON WAREHOUSE wh-name TO ROLE CORTEX_ANALYST;
GRANT ROLE CORTEX_ANALYST TO USER user-role;

Then switched over to said role, and attempted to use Cortex Analyst via the API and get the same error.

notice the bottom left of the screen: Screenshot 2024-11-13 at 5 11 51 PM

still seeing the same error: Screenshot 2024-11-13 at 5 13 31 PM

I'm not entirely sure why I might be seeing this. This started happening yesterday which coincidentally matches with the date when cortex analyst stopped being "free".

image (1)

I also saw here https://docs.snowflake.com/en/user-guide/snowflake-cortex/cortex-analyst that there is a flag that can be set on the account to "disable cortex analyst", and I ran the following sql which sets it to TRUE (enabling the feature)

USE ROLE ACCOUNTADMIN;
ALTER ACCOUNT SET ENABLE_CORTEX_ANALYST = TRUE;

do you all know if there are perhaps some account settings that must be enabled or something similar?