Getting Started
To use Chaos Genius, you will need to connect your Snowflake account. From the Chaos Genius app, hover over the user icon in the top right and click on “Add New Connection”.
Step 1 - Create CHAOSGENIUS
user
To allow Chaos Genius to access metadata from your Snowflake account, you need to create a special user. This user only has access to specific account-level and organization-level metadata.
Run the following SQL script as an ACCOUNTADMIN to set up this user. Modify the password
to a good, randomly generated string.
use role ACCOUNTADMIN;
CREATE WAREHOUSE CHAOSGENIUS_WH with WAREHOUSE_SIZE = 'XSMALL' AUTO_SUSPEND=60 INITIALLY_SUSPENDED=TRUE;
create role CHAOSGENIUS_ROLE;
create user CHAOSGENIUS password = '<insert-new-password>' default_role = CHAOSGENIUS_ROLE;
grant USAGE on WAREHOUSE CHAOSGENIUS_WH to role CHAOSGENIUS_ROLE;
grant OPERATE on WAREHOUSE CHAOSGENIUS_WH to role CHAOSGENIUS_ROLE;
grant role CHAOSGENIUS_ROLE to user CHAOSGENIUS;
grant imported privileges on database snowflake to role CHAOSGENIUS_ROLE;
grant monitor usage on account to role CHAOSGENIUS_ROLE;
create or replace network policy CHAOSGENIUS_NETWORK_POLICY ALLOWED_IP_LIST = ('18.236.195.203', '75.101.128.45', '52.19.244.220', '52.220.11.24');
alter user CHAOSGENIUS set network_policy = CHAOSGENIUS_NETWORK_POLICY;
Step 2 - Add your Snowflake account to Chaos Genius
Click on "Setup Account" and fill in the details:
- Connection Name: a name for your Snowflake account connection. It can anything of your choosing.
- Account Identifier: the unique identifier of your Snowflake account. This is what you would use to connect to the account from external tools or SDKs, for example
ab12345.us-west-1
. See the Snowflake documentation on this for more information. - Role: role of the Chaos Genius user. Should be
CHAOSGENIUS_ROLE
. - Warehouse: name of the Virtual Warehouse created for the Chaos Genius user. Should be
CHAOSGENIUS_WH
. - User name: name of the Chaos Genius user. Should be
CHAOSGENIUS
. - Password: the password you selected for the Chaos Genius user.
- Database: should be
SNOWFLAKE
, which is Snowflake's internal metadata DB.
Step 3 - Add or confirm billing rates
We try to automatically determine the per-credit compute and per-TB storage rates for your account. This can fail in some cases - for example when credits have been bought through a Snowflake reseller. In that case, you will need to manually enter your billing rates.
The following information is either pre-filled or you may need to manually enter them:
- Compute cost: USD charged per credit of Snowflake compute usage.
- Storage cost: USD charged per TB of storage used in a month.
- Snowflake edition: edition of Snowflake. Also known as "service level". Must be either "Standard" or "Enterprise".
Step 4 - (Optional) Additional permissions for Query Recommendations
Query Recommendations will not be available if this step is not done.
To enable query recommendations, Chaos Genius needs query-level profiling data which is only available with the MONITOR
privilege on each virtual warehouse.
Run the following SQL script as an ACCOUNTADMIN to set up an Snowflake Task that grants the MONITOR
privilege to all warehouses. The task is run everyday to ensure all warehouses are covered.
use role ACCOUNTADMIN;
create database if not exists chaosgenius;
-- Give access to `chaosgenius` database to CHAOSGENIUS_ROLE
grant select on future tables in database chaosgenius to role CHAOSGENIUS_ROLE;
grant select on all tables in database chaosgenius to role CHAOSGENIUS_ROLE;
grant usage, monitor on database chaosgenius to role CHAOSGENIUS_ROLE;
grant usage, monitor on all schemas in database chaosgenius to role CHAOSGENIUS_ROLE;
-- ####### QUERY RECOMMENDATIONS PRIVILEGES
-- This procedure provides MONITOR access to Chaos Genius on all warehouses.
create or replace procedure chaosgenius.public.grant_monitor_on_all_whs()
-- the return value is a status message for each WH
returns varchar not null
language javascript
-- when called, this procedure will run with privileges of the owner
-- i.e., the account that created this procedure (usually ACCOUNTADMIN)
execute as owner
as
$$
// we build up the return value string
let ret = "MONITOR access granted on: ";
// get all warehouses
const res = snowflake.execute( {sqlText: "SHOW WAREHOUSES;"} );
// iterate through each row
while (res.next()) {
// extract the warehouse name
const whName = '"' + res.getColumnValue(1).replaceAll('"', '""') + '"';
// add each WH processed to the return value
ret += "\n- " + whName;
const grantQuery = `grant MONITOR on WAREHOUSE IDENTIFIER(:1) to role CHAOSGENIUS_ROLE;`;
ret += "\n\tGrant Query: " + grantQuery;
// - the MONITOR privilege on a virtual WAREHOUSE provides
// access to metadata of queries executed on the warehouse.
// reference: https://docs.snowflake.com/en/user-guide/security-access-control-privileges#virtual-warehouse-privileges
// - we use variable binds to ensure that there is no possibility of SQL injection through Warehouse names
try {
snowflake.execute( {sqlText: grantQuery, binds: [whName]} );
} catch (err) {
ret += "\n\tQuery Failed for " + whName;
ret += "\n\tCode: " + err.code;
ret += "\n\tState: " + err.state;
ret += "\n\tMessage: " + err.message;
ret += "\n\tStack Trace:\n" + err.stackTraceTxt;
}
}
return ret;
$$
;
call chaosgenius.public.grant_monitor_on_all_whs();
-- we run this procedure everyday to ensure that any new WHs are also granted
create or replace task chaosgenius.public.chaosgenius_grant_monitor_on_all_whs
USER_TASK_MANAGED_INITIAL_WAREHOUSE_SIZE = 'XSMALL'
SCHEDULE = '1440 minute'
as
call chaosgenius.public.grant_monitor_on_all_whs();
-- a task is initially suspended. we start the task here.
alter task chaosgenius.public.chaosgenius_grant_monitor_on_all_whs resume;