Question 17
Domain 4: Assembling and Deploying ApplicationsA serving endpoint references `{{secrets/app/openai_key}}` in `environment_vars`. What permission must the endpoint creator have on that secret?
Correct answer: B
Explanation
A serving endpoint that references `{{secrets/app/openai_key}}` in `environment_vars` must be able to resolve the secret value at deployment time, which requires "READ access" on that secret. Without read permission, the endpoint creator cannot retrieve the secret to populate the environment variable.
Why each option is right or wrong
A. WRITE access
WRITE lets you change the secret, but injection only needs retrieving its current value.
B. READ access
Databricks secret references in endpoint environment variables are resolved from the Secrets API at deployment time, and the creator must be able to retrieve the secret value to materialize `{{secrets/...}}` into the runtime environment. Under the Databricks secrets permission model, that requires `READ` on the specific secret scope/key; `MANAGE` or `WRITE` alone is not sufficient to fetch the value, and without `READ` the endpoint cannot be created with that reference.
C. MANAGE access
MANAGE is broader administrative control; secret resolution does not generally require admin privileges.
D. Ownership of the target catalog
Catalog ownership concerns container-level governance, not permission to read this specific secret.