Data Connections

Connecting a Databricks account

Overview

To onboard your Databricks environment to DigiUsher, create a service principal and grant the relevant permissions as described below, connecting to a SQL warehouse of your choice. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.


Summary of Access Required

ComponentDetails
IdentityService Principal — programmatic access
AuthenticationService principal's client ID (UUID) + client Secret
DataBilling data exported through SQL warehouse
CapabilityWhat It Provides
Billing dataCost analytics, chargeback/showback, budgeting, forecasting, anomaly detection

DigiUsher cannot create, modify, or delete any of your Databricks resources.

Use Terraform for the fastest setup

DigiUsher recommends the Terraform configuration for the most efficient and reliable setup. It automates the entire process — creating the service principal, generating its secret, granting warehouse access, and applying the Unity Catalog grants — in a single terraform apply.

Terraform Repository: https://github.com/digiusher/digiusher-iac/

If your organization's policies require manual resource provisioning, follow the manual setup steps below.


Prerequisites

Information to Gather

ItemHow to FindDigiUsher Field
Client IDAccount console > Service Principals > your SP > Secrets tab (the Client ID, an Application ID UUID)client_id
Client SecretShown once when you generate the OAuth secret (store securely)client_secret
Workspace hostnameThe hostname of the Databricks workspace, without https:// in front (eg. dbc-12345678-abcd.cloud.databricks.com)server_hostname
HTTP PathThe HTTP Path field in the SQL warehouse connection detailshttp_path

Roles Required by the Person Performing Setup

Role / PermissionWhy
Account Admin on the Databricks accountTo access the account console, create the service principal, generate its OAuth secret, and assign it to the workspace.
Metastore Admin on the Unity Catalog metastoreTo run the GRANT statements that give the service principal read access to the system catalog and its billing, compute, access, and lakeflow schemas. Without this role the grants fail even if the user is an Account Admin.
Workspace Admin on the target workspaceTo add the service principal to the workspace and grant it Can use permission on the SQL warehouse used for queries.

Network & Email Access (For Regulated Environments)

If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:

  • Domain allowlist: Add *.digiusher.com to your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers.
  • Email allowlist: Add digiusher.com as an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from @digiusher.com addresses.

The DigiUsher Terraform configuration automates the entire setup — it creates the service principal, generates an OAuth secret, grants Can use on the SQL warehouse, and applies all the Unity Catalog grants.

Prerequisites

  • Terraform — version 1.3 or higher
  • Python 3 with databricks-sql-connector, databricks-sdk, pandas, pyarrow (only needed to run the verification script)
  • A Databricks personal access token with All APIs scope, used once to bootstrap the setup (not stored after terraform apply completes)
  • Account Admin and Workspace Admin rights

Create a Personal Access Token

  1. Go to your workspace → top-right user icon → SettingsDeveloperAccess tokens.
  2. Click Generate new token.
  3. Set a name (e.g. terraform-setup-digiusher) and a lifetime.
  4. Under Scope, select All APIs.
  5. Copy the token immediately — it won't be shown again.

Find Your Configuration Values

You need three values before running Terraform:

VariableWhere to find it
workspace_hostYour workspace URL, e.g. abc-123.cloud.databricks.com (no https://)
databricks_account_idaccounts.cloud.databricks.com → top-right corner
warehouse_idSQL warehouse → Connection details → last segment of the HTTP path (/sql/1.0/warehouses/abc123def456abc123def456)

Deployment

git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/databricks

Create terraform.tfvars with your values:

databricks_account_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
workspace_host        = "your-workspace.cloud.databricks.com"
warehouse_id          = "abc123def456"

Export your personal access token, then apply:

export TF_VAR_databricks_token="XXXXXXXXXXXXXXXXXXXX"

terraform init
terraform plan
terraform apply

Retrieve the Credentials

After apply completes, the four values DigiUsher needs are available as outputs:

echo "DATABRICKS_HOST=$(terraform output -raw workspace_hostname)"
echo "DATABRICKS_HTTP_PATH=$(terraform output -raw http_path)"
echo "DATABRICKS_CLIENT_ID=$(terraform output -raw client_id)"
echo "DATABRICKS_CLIENT_SECRET=$(terraform output -raw client_secret)"

These map to the Server Hostname, HTTP Path, Client ID, and Client Secret fields in DigiUsher (see Connect in DigiUsher below).

Verify (Optional)

The repository includes a verification script that confirms authentication, system catalog access, and billing data availability:

export DATABRICKS_HOST="$(terraform output -raw workspace_hostname)"
export DATABRICKS_HTTP_PATH="$(terraform output -raw http_path)"
export DATABRICKS_CLIENT_ID="$(terraform output -raw client_id)"
export DATABRICKS_CLIENT_SECRET="$(terraform output -raw client_secret)"

python3 verify_exports.py

See the digiusher-iac README for full Terraform documentation and troubleshooting.


Option B: Manual Setup

Note

Use the Terraform option above for the fastest setup. Follow the steps below if your organization requires manual provisioning through the Databricks console.

Step 1 — Create the Service Principal

Create a dedicated service principal that DigiUsher will use for programmatic, read-only access to your billing data.

  1. Sign in to the Databricks account console as an Account Admin.
  2. Navigate to User Management > Service Principals, then click Add service principal. Service Principals page in the account console
  3. Give it a recognizable name (e.g. digiusher-reader) and click Add. Add a new service principal

Generate an OAuth Secret

  1. Select the service principal just created, then open the Credential and Secrets tab and click Generate secret under OAuth secrets. Service principal Secrets tab
  2. In the dialog, select the lifetime of the secret (maximum 730 days). Generate OAuth secret for the service principal
  3. Copy both the Client ID and the Secret immediately and store securely — the secret is shown only once and cannot be retrieved again. Copy the generated client ID and secret

Save your credentials

You will need to enter the Client ID and Client Secret into DigiUsher in the final step. If you lose the secret, generate a new one and redo the process.

Step 2 — Assign the Service Principal to the Workspace

The service principal must be a member of the workspace whose SQL warehouse will run the queries.

  1. Open the target Workspace and go to Settings > Identity and access. Workspace Identity and access settings
  2. Next to Service principals, click Manage > Add service principal, select the principal you created, and click Add. Service Principals page in the IAM page
  3. Confirm the service principal now appears in the workspace's service principals list. Service principal added to the workspace

Already exists

If you see an "already exists" message, the service principal is already a member of the workspace — move on to the next step.

Step 3 — Grant the Service Principal Access to the SQL Warehouse

DigiUsher runs its queries through a SQL warehouse in the workspace. Grant the service principal Can use permission on it, and note the connection details.

  1. In the workspace, navigate to SQL Warehouses > Compute and open the warehouse you want DigiUsher to use. SQL Warehouses list
  2. Review the warehouse overview to confirm it is running (or set to auto-start). SQL warehouse overview
  3. Open the Permissions tab and click Add permission. SQL warehouse Permissions tab
  4. Search for the service principal by name and click Add. Ensure the permission is set to Can use. Grant permission on the SQL warehouse Grant Can use permission to the service principal

Copy the Connection Details

Open the Connection details tab of the warehouse and copy:

  • Server hostname — used as server_hostname (do not include https://).
  • HTTP path — used as http_path.

SQL warehouse connection details

Step 4 — Grant Read Access to the System Tables

Run the following grants in the SQL Editor against your warehouse to give the service principal read-only access to the billing and metadata tables DigiUsher needs.

  1. In the workspace, open the SQL Editor and select your warehouse. Run grants in the SQL Editor
  2. Paste the block below, replacing <client-id> with the service principal's Client ID (the Application ID UUID from Step 1), and run it.
GRANT USE CATALOG ON CATALOG system TO `<client-id>`;

GRANT USE SCHEMA ON SCHEMA system.billing TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.usage TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.list_prices TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.account_prices TO `<client-id>`;

GRANT USE SCHEMA ON SCHEMA system.access TO `<client-id>`;
GRANT SELECT ON TABLE system.access.workspaces_latest TO `<client-id>`;

GRANT USE SCHEMA ON SCHEMA system.compute TO `<client-id>`;
GRANT SELECT ON TABLE system.compute.clusters TO `<client-id>`;
GRANT SELECT ON TABLE system.compute.warehouses TO `<client-id>`;

GRANT USE SCHEMA ON SCHEMA system.lakeflow TO `<client-id>`;
GRANT SELECT ON TABLE system.lakeflow.pipelines TO `<client-id>`;

Run as a Metastore Admin

These grants must be run by a user who is both an Account Admin and a Metastore Admin. Grants run by a workspace-only admin will fail or silently have no effect.

The account_prices grant may error

system.billing.account_prices only exists if your account is enrolled in the Account Prices Preview (AWS/GCP). If that table does not exist, its GRANT line will error — ignore that single error; every other statement must succeed.


Connect in DigiUsher

After completing either the Terraform or Manual setup, enter the following into DigiUsher to complete the connection:

FieldWhere to Find
Connection NameAny label you prefer (e.g. Databricks Production)
Server HostnameThe Server hostname from the warehouse Connection details (no https://), or terraform output -raw workspace_hostnameserver_hostname
HTTP PathThe HTTP path from the warehouse Connection details, or terraform output -raw http_pathhttp_path
Client IDThe service principal's Client ID (Application ID UUID), or terraform output -raw client_idclient_id
Client SecretThe OAuth secret generated during setup, or terraform output -raw client_secretclient_secret

Verification Checklist

  • Service principal created in the Databricks account console
  • OAuth client secret generated and both Client ID and Secret saved securely
  • Service principal assigned to the target workspace
  • Service principal granted Can use on the SQL warehouse
  • All GRANT statements executed successfully in the SQL Editor — system.billing, system.access, system.compute, system.lakeflow
  • Workspace hostname, HTTP path, Client ID, and Client Secret entered in DigiUsher
  • Verification probe passed — DigiUsher confirms access to system.billing.usage and system.billing.list_prices and returns an account_id
  • *.digiusher.com allowlisted in your network/firewall (if applicable)
  • digiusher.com allowlisted as an approved sender domain in your email security gateway (if applicable)

Security

What DigiUsher CAN Access (Read-Only)

  • system.billing.usage — DBU and credit consumption records for all workspaces in the account
  • system.billing.list_prices — Databricks public list prices for SKU cost calculation
  • system.billing.account_prices — contracted rates, if your account is enrolled in the Account Prices Preview (AWS/GCP only)
  • system.access.workspaces_latest — workspace name metadata used to enrich billing records
  • system.compute.clusters and system.compute.warehouses — resource names used to enrich billing records
  • system.lakeflow.pipelines — pipeline names used to enrich billing records

What DigiUsher CANNOT Do

  • Access any table outside the schemas explicitly granted above
  • Read notebooks, job definitions, query results, or any business data
  • Access data in any workspace catalog (e.g. hive_metastore, user-created catalogs)
  • Create, modify, or delete any object in Databricks
  • View or modify billing settings or account configuration
  • Make purchases or changes to your account
  • Access any underlying cloud infrastructure (S3, ADLS, GCS) directly

Monitoring

Monitor service principal activity in the Databricks workspace under Settings → Identity and access → Service Principals → your service principal. For a full audit trail, query system.access.audit if your workspace has that schema enabled — filter on user_identity.email = '<client-id>' to see all actions taken by the DigiUsher service principal.

Credential Rotation

Terraform: Run terraform apply -replace="databricks_service_principal_secret.digiusher_focus_reader" to generate a new secret, then update the Client Secret in DigiUsher with the new terraform output -raw client_secret.

Manual:

  1. In the account console, go to Service Principals → select the DigiUsher service principal → Secrets tab.
  2. Click Generate secret to create a new client secret.
  3. Update the Client Secret in DigiUsher immediately.
  4. Delete the old secret from the Secrets tab.

Avoid ingestion gaps

Always generate the new secret before deleting the old one. The old secret remains valid until explicitly deleted, so there is no interruption if you update DigiUsher before removing it.

Revocation

Terraform: Run terraform destroy — this removes the service principal, its secret, the warehouse permission, and all Unity Catalog grants, instantly invalidating access.

Manual: Delete the service principal from the account console under Service Principals. This immediately invalidates the OAuth secret and removes all associated permissions from the workspace. Alternatively, delete only the secret under the SP's Secrets tab to pause access without removing the principal — useful if you intend to re-connect later.


Troubleshooting

Permission denied on system.billing.usage or other system tables

  • Confirm all GRANT statements completed without errors in the SQL Editor. Re-run the full grant block — grants are idempotent and safe to repeat.
  • Verify the user who ran the grants was both an Account Admin and a Metastore Admin at the time. Grants run by a workspace-only admin silently fail or error.
  • Confirm the service principal's Client ID (Application ID UUID) was used as the grantee, not its display name.

"User is not an account admin" during setup

  • Go to accounts.cloud.databricks.comUser ManagementUsers → click the setup user's email → toggle Account admin on.
  • This role is separate from workspace admin group membership — being in the workspace admins group is not sufficient.

Verification probe passes but BilledCost is zero

  • BilledCost is computed as usage_quantity × account_unit_price. If list_prices has no rows matching your account's region and SKUs yet, the price join returns NULL and cost coalesces to 0.
  • Confirm system.billing.list_prices is populated: run SELECT COUNT(*) FROM system.billing.list_prices in the SQL Editor. Newly provisioned trial accounts may see an empty or sparse price table until Databricks backfills it for your region — this resolves within 24–48 hours.

No data in system.billing.usage

  • The table only contains records from the date the account was provisioned. A brand-new account will have one or two rows at most (warehouse startup storage). This is expected and not an error — data accumulates as the account is used.
  • Confirm the date range: SELECT MIN(usage_date), MAX(usage_date) FROM system.billing.usage.

Connection hangs with no output

  • Verify DATABRICKS_SERVER_HOSTNAME does not include https://. The SDK adds the scheme automatically — a double https://https:// prefix causes a silent 5-minute timeout.
  • Confirm the SQL warehouse is in Running or Idle (auto-startable) state. A warehouse in Deleted or Stopped (manually) state will not start on connection.

Warehouse access denied

  • Confirm the service principal has Can use permission on the warehouse: workspace → SQL Warehouses → your warehouse → Permissions.
  • If the warehouse was recreated after the initial setup, the permission must be re-granted — it does not follow the SP.

OAuth authentication failure

  • Confirm the Client Secret entered in DigiUsher matches the secret generated for this specific service principal, not a PAT or another SP's secret.
  • OAuth secrets do not expire by default, but if the secret was manually deleted and regenerated in the Databricks console the old value is permanently invalid — generate a new one and update DigiUsher.

Need Help?

If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.