Creating Service Principal and Granting Workspace and Warehouse Access

Note:Consider the following:

This feature is available as an early-access capability for Databricks on AWS. Customers receive access automatically and do not need to contact Flexera Support to enable it. We’re actively working to improve this capability, and your feedback is welcome.
The Databricks bill connect is only available for Databricks on AWS. Support for other cloud vendors will be added in future releases.

To allow Flexera One to securely access Databricks billing and compute data, you first need to create a dedicated service principal and grant it the required permissions on the workspaces and SQL warehouses.

Creating a Service Principal

A service principal is an identity used by applications or services to access Databricks resources.

Note:You must have Admin access to the Databricks account console.

To create a service principal:

1. Sign in to the Databricks account console.
2. Go to User Management > Service principals.
3. Click Add service principal.
4. Enter a name for the service principal and click Add.
5. From the list, select the newly created service principal.
6. Click Generate secret.
7. Copy and securely store:
Client ID
Client secret

Note:The Client secret you generated is the OAuth client secret that Flexera uses to authenticate as this service principal. For more information, see the Databricks documentation topic, Authorize access to Databricks resources.

Granting Service Principal Access to Workspaces

You must grant the service principal access to each workspace that has billing and compute schemas enabled.

To grant the service principal access to Databricks workspaces:

1. Sign in to the Databricks account console.
2. Click Workspaces. From the workspaces list, locate each workspace where the billing and compute system schemas are enabled.
3. For each workspace, click the three vertical dots icon and select Update.
4. Open the Permissions tab and click Add permissions.
5. Add the service principal using the Client ID.
6. Assign the User permission to the service principal on each workspace.
7. Click Save.

Granting Service Principal Warehouse Access

You must ensure the service principal has the required access to the SQL warehouses in each workspace.

To grant the service principal access to SQL warehouses:

1. Sign in to the Databricks account console.
2. Click Workspaces. From the workspaces list, locate each workspace and copy the URL of the relevant workspace.
3. Paste the workspace URL in your browser and sign in to the workspace.
4. Go to SQL Warehouses and click Create SQL warehouse.
5. Configure the warehouse:
Name—Enter a name.
Size—Set Minimum compute size to 2X-SMALL
Under Tags, add created_for: flexera
6. Click Save.
7. After the warehouse is created, open it and click Permissions.
8. Grant the service principal access to the warehouse with the Can Use permission.
9. Click Save.

Enabling Service Principal Databricks SQL Access

For your service principal to connect to a SQL warehouse and run SQL statements, it must have the Databricks SQL access entitlement in each workspace.

To grant the service principal the Databricks SQL access entitlement:

1. Sign in to the Databricks account console.
2. Click Workspaces. From the workspaces list, locate each workspace and copy the URL of the relevant workspace.
3. Paste the workspace URL in your browser and sign in to the workspace.
4. Click your username in the upper-right corner of the page and select Settings.
5. Click Identity and access.
6. Under Service principals, select the service principal you created for Flexera.
7. Turn on the Databricks SQL access entitlement.

You can grant this entitlement either:

Directly on the service principal
Indirectly via a group that has Databricks SQL access and includes the service principal

For detailed instructions, see the Databricks documentation topic, Manage entitlements.