Connecting a Databricks account
Overview
To onboard your Databricks environment to DigiUsher, create a service principal and grant the relevant permissions as described below, connecting to a SQL warehouse of your choice. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.
Summary of Access Required
| Component | Details |
|---|---|
| Identity | Service Principal — programmatic access |
| Authentication | Service principal's client ID (UUID) + client Secret |
| Data | Billing data exported through SQL warehouse |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
DigiUsher cannot create, modify, or delete any of your Databricks resources.
Use Terraform for the fastest setup
DigiUsher recommends the Terraform configuration for the most efficient and reliable setup. It automates the entire process — creating the service principal, generating its secret, granting warehouse access, and applying the Unity Catalog grants — in a single terraform apply.
Terraform Repository: https://github.com/digiusher/digiusher-iac/
If your organization's policies require manual resource provisioning, follow the manual setup steps below.
Prerequisites
Information to Gather
| Item | How to Find | DigiUsher Field |
|---|---|---|
| Client ID | Account console > Service Principals > your SP > Secrets tab (the Client ID, an Application ID UUID) | client_id |
| Client Secret | Shown once when you generate the OAuth secret (store securely) | client_secret |
| Workspace hostname | The hostname of the Databricks workspace, without https:// in front (eg. dbc-12345678-abcd.cloud.databricks.com) | server_hostname |
| HTTP Path | The HTTP Path field in the SQL warehouse connection details | http_path |
Roles Required by the Person Performing Setup
| Role / Permission | Why |
|---|---|
| Account Admin on the Databricks account | To access the account console, create the service principal, generate its OAuth secret, and assign it to the workspace. |
| Metastore Admin on the Unity Catalog metastore | To run the GRANT statements that give the service principal read access to the system catalog and its billing, compute, access, and lakeflow schemas. Without this role the grants fail even if the user is an Account Admin. |
| Workspace Admin on the target workspace | To add the service principal to the workspace and grant it Can use permission on the SQL warehouse used for queries. |
Network & Email Access (For Regulated Environments)
If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:
- Domain allowlist: Add
*.digiusher.comto your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers. - Email allowlist: Add
digiusher.comas an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from@digiusher.comaddresses.
Option A: Terraform (Recommended)
The DigiUsher Terraform configuration automates the entire setup — it creates the service principal, generates an OAuth secret, grants Can use on the SQL warehouse, and applies all the Unity Catalog grants.
Prerequisites
- Terraform — version 1.3 or higher
- Python 3 with
databricks-sql-connector,databricks-sdk,pandas,pyarrow(only needed to run the verification script) - A Databricks personal access token with All APIs scope, used once to bootstrap the setup (not stored after
terraform applycompletes) - Account Admin and Workspace Admin rights
Create a Personal Access Token
- Go to your workspace → top-right user icon → Settings → Developer → Access tokens.
- Click Generate new token.
- Set a name (e.g.
terraform-setup-digiusher) and a lifetime. - Under Scope, select All APIs.
- Copy the token immediately — it won't be shown again.
Find Your Configuration Values
You need three values before running Terraform:
| Variable | Where to find it |
|---|---|
workspace_host | Your workspace URL, e.g. abc-123.cloud.databricks.com (no https://) |
databricks_account_id | accounts.cloud.databricks.com → top-right corner |
warehouse_id | SQL warehouse → Connection details → last segment of the HTTP path (/sql/1.0/warehouses/abc123def456 → abc123def456) |
Deployment
git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/databricksCreate terraform.tfvars with your values:
databricks_account_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
workspace_host = "your-workspace.cloud.databricks.com"
warehouse_id = "abc123def456"Export your personal access token, then apply:
export TF_VAR_databricks_token="XXXXXXXXXXXXXXXXXXXX"
terraform init
terraform plan
terraform applyRetrieve the Credentials
After apply completes, the four values DigiUsher needs are available as outputs:
echo "DATABRICKS_HOST=$(terraform output -raw workspace_hostname)"
echo "DATABRICKS_HTTP_PATH=$(terraform output -raw http_path)"
echo "DATABRICKS_CLIENT_ID=$(terraform output -raw client_id)"
echo "DATABRICKS_CLIENT_SECRET=$(terraform output -raw client_secret)"These map to the Server Hostname, HTTP Path, Client ID, and Client Secret fields in DigiUsher (see Connect in DigiUsher below).
Verify (Optional)
The repository includes a verification script that confirms authentication, system catalog access, and billing data availability:
export DATABRICKS_HOST="$(terraform output -raw workspace_hostname)"
export DATABRICKS_HTTP_PATH="$(terraform output -raw http_path)"
export DATABRICKS_CLIENT_ID="$(terraform output -raw client_id)"
export DATABRICKS_CLIENT_SECRET="$(terraform output -raw client_secret)"
python3 verify_exports.pySee the digiusher-iac README for full Terraform documentation and troubleshooting.
Option B: Manual Setup
Note
Use the Terraform option above for the fastest setup. Follow the steps below if your organization requires manual provisioning through the Databricks console.
Step 1 — Create the Service Principal
Create a dedicated service principal that DigiUsher will use for programmatic, read-only access to your billing data.
- Sign in to the Databricks account console as an Account Admin.
- Navigate to User Management > Service Principals, then click Add service principal.

- Give it a recognizable name (e.g.
digiusher-reader) and click Add.
Generate an OAuth Secret
- Select the service principal just created, then open the Credential and Secrets tab and click Generate secret under OAuth secrets.

- In the dialog, select the lifetime of the secret (maximum 730 days).

- Copy both the Client ID and the Secret immediately and store securely — the secret is shown only once and cannot be retrieved again.

Save your credentials
You will need to enter the Client ID and Client Secret into DigiUsher in the final step. If you lose the secret, generate a new one and redo the process.
Step 2 — Assign the Service Principal to the Workspace
The service principal must be a member of the workspace whose SQL warehouse will run the queries.
- Open the target Workspace and go to Settings > Identity and access.

- Next to Service principals, click Manage > Add service principal, select the principal you created, and click Add.

- Confirm the service principal now appears in the workspace's service principals list.

Already exists
If you see an "already exists" message, the service principal is already a member of the workspace — move on to the next step.
Step 3 — Grant the Service Principal Access to the SQL Warehouse
DigiUsher runs its queries through a SQL warehouse in the workspace. Grant the service principal Can use permission on it, and note the connection details.
- In the workspace, navigate to SQL Warehouses > Compute and open the warehouse you want DigiUsher to use.

- Review the warehouse overview to confirm it is running (or set to auto-start).

- Open the Permissions tab and click Add permission.

- Search for the service principal by name and click Add. Ensure the permission is set to Can use.

Copy the Connection Details
Open the Connection details tab of the warehouse and copy:
- Server hostname — used as
server_hostname(do not includehttps://). - HTTP path — used as
http_path.

Step 4 — Grant Read Access to the System Tables
Run the following grants in the SQL Editor against your warehouse to give the service principal read-only access to the billing and metadata tables DigiUsher needs.
- In the workspace, open the SQL Editor and select your warehouse.

- Paste the block below, replacing
<client-id>with the service principal's Client ID (the Application ID UUID from Step 1), and run it.
GRANT USE CATALOG ON CATALOG system TO `<client-id>`;
GRANT USE SCHEMA ON SCHEMA system.billing TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.usage TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.list_prices TO `<client-id>`;
GRANT SELECT ON TABLE system.billing.account_prices TO `<client-id>`;
GRANT USE SCHEMA ON SCHEMA system.access TO `<client-id>`;
GRANT SELECT ON TABLE system.access.workspaces_latest TO `<client-id>`;
GRANT USE SCHEMA ON SCHEMA system.compute TO `<client-id>`;
GRANT SELECT ON TABLE system.compute.clusters TO `<client-id>`;
GRANT SELECT ON TABLE system.compute.warehouses TO `<client-id>`;
GRANT USE SCHEMA ON SCHEMA system.lakeflow TO `<client-id>`;
GRANT SELECT ON TABLE system.lakeflow.pipelines TO `<client-id>`;Run as a Metastore Admin
These grants must be run by a user who is both an Account Admin and a Metastore Admin. Grants run by a workspace-only admin will fail or silently have no effect.
The account_prices grant may error
system.billing.account_prices only exists if your account is enrolled in the Account Prices Preview (AWS/GCP). If that table does not exist, its GRANT line will error — ignore that single error; every other statement must succeed.
Connect in DigiUsher
After completing either the Terraform or Manual setup, enter the following into DigiUsher to complete the connection:
| Field | Where to Find |
|---|---|
| Connection Name | Any label you prefer (e.g. Databricks Production) |
| Server Hostname | The Server hostname from the warehouse Connection details (no https://), or terraform output -raw workspace_hostname — server_hostname |
| HTTP Path | The HTTP path from the warehouse Connection details, or terraform output -raw http_path — http_path |
| Client ID | The service principal's Client ID (Application ID UUID), or terraform output -raw client_id — client_id |
| Client Secret | The OAuth secret generated during setup, or terraform output -raw client_secret — client_secret |
Verification Checklist
- Service principal created in the Databricks account console
- OAuth client secret generated and both Client ID and Secret saved securely
- Service principal assigned to the target workspace
- Service principal granted Can use on the SQL warehouse
- All
GRANTstatements executed successfully in the SQL Editor —system.billing,system.access,system.compute,system.lakeflow - Workspace hostname, HTTP path, Client ID, and Client Secret entered in DigiUsher
- Verification probe passed — DigiUsher confirms access to
system.billing.usageandsystem.billing.list_pricesand returns anaccount_id -
*.digiusher.comallowlisted in your network/firewall (if applicable) -
digiusher.comallowlisted as an approved sender domain in your email security gateway (if applicable)
Security
What DigiUsher CAN Access (Read-Only)
system.billing.usage— DBU and credit consumption records for all workspaces in the accountsystem.billing.list_prices— Databricks public list prices for SKU cost calculationsystem.billing.account_prices— contracted rates, if your account is enrolled in the Account Prices Preview (AWS/GCP only)system.access.workspaces_latest— workspace name metadata used to enrich billing recordssystem.compute.clustersandsystem.compute.warehouses— resource names used to enrich billing recordssystem.lakeflow.pipelines— pipeline names used to enrich billing records
What DigiUsher CANNOT Do
- Access any table outside the schemas explicitly granted above
- Read notebooks, job definitions, query results, or any business data
- Access data in any workspace catalog (e.g.
hive_metastore, user-created catalogs) - Create, modify, or delete any object in Databricks
- View or modify billing settings or account configuration
- Make purchases or changes to your account
- Access any underlying cloud infrastructure (S3, ADLS, GCS) directly
Monitoring
Monitor service principal activity in the Databricks workspace under Settings → Identity and access → Service Principals → your service principal. For a full audit trail, query system.access.audit if your workspace has that schema enabled — filter on user_identity.email = '<client-id>' to see all actions taken by the DigiUsher service principal.
Credential Rotation
Terraform: Run terraform apply -replace="databricks_service_principal_secret.digiusher_focus_reader" to generate a new secret, then update the Client Secret in DigiUsher with the new terraform output -raw client_secret.
Manual:
- In the account console, go to Service Principals → select the DigiUsher service principal → Secrets tab.
- Click Generate secret to create a new client secret.
- Update the Client Secret in DigiUsher immediately.
- Delete the old secret from the Secrets tab.
Avoid ingestion gaps
Always generate the new secret before deleting the old one. The old secret remains valid until explicitly deleted, so there is no interruption if you update DigiUsher before removing it.
Revocation
Terraform: Run terraform destroy — this removes the service principal, its secret, the warehouse permission, and all Unity Catalog grants, instantly invalidating access.
Manual: Delete the service principal from the account console under Service Principals. This immediately invalidates the OAuth secret and removes all associated permissions from the workspace. Alternatively, delete only the secret under the SP's Secrets tab to pause access without removing the principal — useful if you intend to re-connect later.
Troubleshooting
Permission denied on system.billing.usage or other system tables
- Confirm all
GRANTstatements completed without errors in the SQL Editor. Re-run the full grant block — grants are idempotent and safe to repeat. - Verify the user who ran the grants was both an Account Admin and a Metastore Admin at the time. Grants run by a workspace-only admin silently fail or error.
- Confirm the service principal's Client ID (Application ID UUID) was used as the grantee, not its display name.
"User is not an account admin" during setup
- Go to
accounts.cloud.databricks.com→ User Management → Users → click the setup user's email → toggle Account admin on. - This role is separate from workspace admin group membership — being in the workspace
adminsgroup is not sufficient.
Verification probe passes but BilledCost is zero
BilledCostis computed asusage_quantity × account_unit_price. Iflist_priceshas no rows matching your account's region and SKUs yet, the price join returnsNULLand cost coalesces to0.- Confirm
system.billing.list_pricesis populated: runSELECT COUNT(*) FROM system.billing.list_pricesin the SQL Editor. Newly provisioned trial accounts may see an empty or sparse price table until Databricks backfills it for your region — this resolves within 24–48 hours.
No data in system.billing.usage
- The table only contains records from the date the account was provisioned. A brand-new account will have one or two rows at most (warehouse startup storage). This is expected and not an error — data accumulates as the account is used.
- Confirm the date range:
SELECT MIN(usage_date), MAX(usage_date) FROM system.billing.usage.
Connection hangs with no output
- Verify
DATABRICKS_SERVER_HOSTNAMEdoes not includehttps://. The SDK adds the scheme automatically — a doublehttps://https://prefix causes a silent 5-minute timeout. - Confirm the SQL warehouse is in Running or Idle (auto-startable) state. A warehouse in Deleted or Stopped (manually) state will not start on connection.
Warehouse access denied
- Confirm the service principal has Can use permission on the warehouse: workspace → SQL Warehouses → your warehouse → Permissions.
- If the warehouse was recreated after the initial setup, the permission must be re-granted — it does not follow the SP.
OAuth authentication failure
- Confirm the Client Secret entered in DigiUsher matches the secret generated for this specific service principal, not a PAT or another SP's secret.
- OAuth secrets do not expire by default, but if the secret was manually deleted and regenerated in the Databricks console the old value is permanently invalid — generate a new one and update DigiUsher.
Need Help?
If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.
DigiUsher Documentation