Creating a Service Principal and Granting Workspace and Warehouse Access
This feature is available as an early‑access capability for Databricks. To enable it for your account, contact Flexera Support. For more information, see Contacting Flexera Support.
To allow Flexera One to securely access Databricks billing and compute data, you first need to create a dedicated service principal and grant it the required permissions on the workspaces and SQL warehouses.
Creating a Service Principal
A service principal is an identity used by applications or services to access Databricks resources.
You must have Admin access to the Databricks account console.
To create a service principal:
-
Sign in to the Databricks account console.
-
Go to User Management > Service principals.
-
Click Add service principal.
-
Enter a name for the service principal and click Add.
-
From the list, select the newly created service principal.
-
Click Generate secret.
-
Copy and securely store:
- Client ID
- Client secret
noteThe Client secret you generated is the OAuth client secret that Flexera uses to authenticate as this service principal. For more information, see the Databricks documentation topic, Authorize access to Databricks resources.
Granting Service Principal Access to Workspaces
You must repeat the following steps for at least one workspace in every region that needs to be indexed.
You must grant the service principal access to the workspace that has system tables enabled and a warehouse accessible. Ensure there is at least one such workspace in every region whose Databricks cost and usage you want Flexera One to ingest.
To grant the service principal access to Databricks workspaces:
- Sign in to the Databricks account console.
- Click Workspaces. From the workspaces list, locate each workspace (at least one per region) with a tagged warehouse and system tables enabled.
- For each workspace, click the workspace name to open it.
- Open the Permissions tab and click Add permissions.
- Add the service principal using the Client ID.
- Assign the User permission to the service principal on each workspace.
- Click Save.
Granting Service Principal Warehouse Access and Databricks SQL Access
You must repeat the following steps for at least one workspace in every region that needs to be indexed.
The service principal must have access to an SQL warehouse in the relevant region to allow Flexera One to pull billing and compute data. For your service principal to connect to an SQL warehouse and run SQL statements, it must have the Databricks SQL access entitlement in each workspace.
To grant the service principal access to an SQL warehouse and the Databricks SQL access entitlement:
-
Sign in to the Databricks account console.
-
Click Workspaces. From the workspaces list, click the workspace name to open it.
-
Go to SQL Warehouses and click Create SQL warehouse. The New SQL warehouse page opens.
-
Configure the warehouse:
- Name—Enter a name.
- Cluster size—Set the size to
2X-Small. - Type—Select Serverless.
- Tags—Enter Key as
created_forand Value asflexera.
-
Click Create. The Manage permissions page for the new warehouse opens.
-
From the dropdown list, select the service principal and grant the service principal access to the warehouse with the Can use permission.
-
Click Add.
-
To grant the Databricks SQL access entitlement to the service principal, complete the following steps:
- Click your username in the upper-right corner of the page and select Settings.
- Click the Identity and access tab.
- Click Manage next to Service principals, and then select the service principal you created for Flexera.
- Select the Databricks SQL access entitlement checkbox, if not already selected.
noteYou can grant this entitlement either:
- Directly on the service principal.
- Indirectly through a group that has Databricks SQL access and includes the service principal. For detailed instructions, see the Databricks documentation topic, Manage entitlements.
- Click Update.