# Databricks SaaS installation
## Summary
This guide details how to create the relevant service account for DataFlint to be able to ingest Databricks performance metadata with only read-only access
The entire process should take just a few minutes.
The steps are:
1. Install DataFlint OSS as init script
2. Create the DataFlint new service principal, with CAN\_VIEW access
3. Enable cluster logs, and give read-only access to DataFlint
4. (Optional) supply mapping to your tag names to DataFlint ones
## Installation
### Step 1: Install DataFlint OSS as init script
See [install-on-databricks](https://dataflint.gitbook.io/dataflint-for-spark/getting-started/install-on-databricks "mention")
### Step 2: Create the DataFlint new service principal, with CAN\_VIEW access
{% hint style="warning" %}
This process requires a workpsace admin permission
{% endhint %}
#### Create new service principal
Go to the workspace settings right top corner:
Then choose Identity -> service principal:
Choose "Add New Principal"
Give it a declerative name (such as "DataFlintServicePrincipal")
Choose the newly added service principal:
Go to secrets, and press "Generate Secret"
Afterward you will get this screen with a secret and client id:
Please supply us with:
* Display name (for example "data infra team workspace")
* Client ID
* Secret
* Workspace URL (looks something like this: "")
#### Add Permission
{% hint style="warning" %}
We will demonstrate with one job in the databricks UI, but you would probably want to do that process to a template or via a databricks orchestration operator.
{% endhint %}
Go to Jobs & Pipelines and choose a job:
Press "Edit permissions" and add to the job "can view" permission for the service principal we created
### Step 3 - Enable cluster logs, and give read-only access
{% hint style="warning" %}
We will demonstrate with one cluster in the databricks UI, but you would probably want to do that process to a template or via a databricks orchestration operator.
{% endhint %}
Choose the "Compute" config under the job page:
Press "Configure"
Go under Advance -> logging, and enable cluster logging:
**If using DBFS** - no need for additional steps, CAN\_VIEW access automatically gives read-only access to DBFS logs
**If using S3** - you will need to add the following permission to your bucket policy where you save the logs:
```json
{
"Sid": "Allowing DataFlint to read Databricks logs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{DataFlint ACCOUNT ID}:role/eks-dataflint-service-role"
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{YOUR BUCKET NAME}/*",
"arn:aws:s3:::{YOUR BUCKET NAME}"
]
}
```
Contact us privately to get the name of our DataFlint ACCOUNT ID, it might be different between SaaS and BYOC installations.
#### Step 4 (Optional) - Supply mapping to your tag names to DataFlint ones
#### You might already have tags in your databricks job/job run/cluster level for values such as team, group, version, workflow id and such.
You can add the following default tags, or map your existing map to DataFlint format (via our admin console)
Supported tags are:
1. DATAFLINT\_ENV - the environment (i.e. prod, dev) default value is "default"
2. DATAFLINT\_TEAM - the team that is the owner of the job
3. DATAFLINT\_DOMAIN - owner group, business unit or product name the job belongs to
4. DATAFLINT\_DAG\_ID - a unique ID of the dag the job belongs to
5. DATAFLINT\_DAG\_RUN\_ID - a unique ID of the dag run id the job was triggered from
6. DATAFLINT\_VERSION - version of the job, in semver format
