An example of a bundle that creates and uses a secret scope

[anton-107]

No description provided.

[shreyas-goenka]

Admins should have these permissions by default. Is there a reason to explicitly specify them?

[anton-107]

admins do not have MANAGE permissions by default, only the user creating the scope does

[shreyas-goenka]

Is this only limited to read permissions?:
https://arc.net/l/quote/fotmmsku

[anton-107]

I'm referring to permissions that are listed by secret scopes ACL - the only initial permission a new secret scope is getting, is that its create can MANAGE it. For other permissions to show up there, they need to be explicitly declared in the permissions section

[shreyas-goenka]

Okay, but do admins have MANAGE permission by default on the scope anyways? The docs seem to imply so.

Note: This is not blocking, an additional permissions block can't really hurt customers. I was curious about the intention though.

[anton-107]

the API doc does not say so: https://docs.databricks.com/api/workspace/secrets/createscope

only the initial_manage_principal is getting the MANAGE permission, and when created with DABS, it is always the caller

[shreyas-goenka]

We could simplify this.

Suggested change

	- --scope_name={{job.parameters.scope_name}}
	- --scope_name=${resources.secret_scopes.my_secret_scope.name}

This way the secret scope name is directly interpolated and you don't have to pass that as a job parameter.

[anton-107]

I would prefer to keep it this way in the example since this seems to be more idiomatic with the jobs docs and it also documents this particular way (not quite straightforward) to achieve this result