Update for feedback

RichardChen820 · RichardChen820 · commit 000596afeec5 · 2024-09-03T16:52:43.000+08:00
diff --git a/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md b/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md
@@ -245,30 +245,6 @@ Add following key-values to the App Configuration store and leave **Label** and
     > [!TIP]
     > The App Configuration Kubernetes Provider is also available as an AKS extension. This integration allows for seamless installation and management via the Azure CLI, ARM templates, or Bicep templates. Utilizing the AKS extension facilitates automatic minor/patch version updates, ensuring your system is always up-to-date. For detailed installation instructions, please refer to the [Azure App Configuration extension for Azure Kubernetes Service](/azure/aks/azure-app-configuration).
 
-1. Follow the step 1-4 in [using workload identity](./reference-kubernetes-provider.md#use-workload-identity) and note down the client ID, tenant ID, resource group and name of the managed identity, the OIDC issuer URL of the AKS cluster, you will use them in the following steps.
-
-1. Add a *serviceaccount.yaml* file to the *Deployment* directory with the following content to create a service account for the application.
-
-    ```yaml
-    apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: aspnetapp-demo-service-account
-      annotations:
-        azure.workload.identity/client-id: <your-managed-identity-client-id>
-        azure.workload.identity/tenant-id: <your-tenant-id>
-    ```
-
-    Replace the value of the `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id` fields with the client ID and tenant ID of the managed identity you created in the previous step.
-
-1. Create federated credentials for the service account by running the following command:
-   
-    ```azurecli
-     az identity federated-credential create --name "federated-credential-demo" --identity-name <identity-name> --resource-group  <resource-group> --issuer <OIDC-issuer> --subject system:serviceaccount:default:aspnetapp-demo-service-account --audience api://AzureADTokenExchange
-    ```
-
-    Replace the value of the `identity-name`, `resource-group` fields with the name, resource group of your managed identity created in the previous step. Replace the value of the `OIDC-issuer` field with the OIDC issuer URL of your AKS cluster. 
-
 1. Add an *appConfigurationProvider.yaml* file to the *Deployment* directory with the following content to create an `AzureAppConfigurationProvider` resource. `AzureAppConfigurationProvider` is a custom resource that defines what data to download from an Azure App Configuration store and creates a ConfigMap.
    
     ```yaml
@@ -285,10 +261,10 @@ Add following key-values to the App Configuration store and leave **Label** and
           key: mysettings.json
       auth:
         workloadIdentity:
-          serviceAccountName: aspnetapp-demo-service-account
+          serviceAccountName: <your-service-account-name>
     ```
 
-    Replace the value of the `endpoint` field with the endpoint of your Azure App Configuration store. 
+    Replace the value of the `endpoint` field with the endpoint of your Azure App Configuration store. Proceed to the next step to update the `auth` section with your authentication information.
     
     > [!NOTE]
     > `AzureAppConfigurationProvider` is a declarative API object. It defines the desired state of the ConfigMap created from the data in your App Configuration store with the following behavior:
@@ -297,6 +273,8 @@ Add following key-values to the App Configuration store and leave **Label** and
     > - The ConfigMap will be reset based on the present data in your App Configuration store if it's deleted or modified by any other means.
     > - The ConfigMap will be deleted if the App Configuration Kubernetes Provider is uninstalled.
 
+1. In this example, you use workload identity to authenticate with your App Configuration store. Follow these [instructions](./reference-kubernetes-provider.md#use-workload-identity) to set it up, and replace the serviceAccountName field with the name of the service account you created in the *appConfigurationProvider.yaml* file. For more information on other authentication methods, see the [Authentication](./reference-kubernetes-provider.md#authentication) section.
+
 1. Update the *deployment.yaml* file in the *Deployment* directory to use the ConfigMap `configmap-created-by-appconfig-provider` as a mounted data volume. It is important to ensure that the `volumeMounts.mountPath` matches the `WORKDIR` specified in your *Dockerfile* and the *config* directory created before.
    
     ```yaml
@@ -330,13 +308,13 @@ Add following key-values to the App Configuration store and leave **Label** and
               name: configmap-created-by-appconfig-provider
     ```
 
-1. Run the following command to deploy the changes. Replace the namespace if you are using your existing AKS application.
+4. Run the following command to deploy the changes. Replace the namespace if you are using your existing AKS application.
    
     ```console
     kubectl apply -f ./Deployment -n appconfig-demo
     ```
 
-1. Refresh the browser. The page shows updated content.
+5. Refresh the browser. The page shows updated content.
 
     ![Screenshot showing Kubernetes Provider after using configMap.](./media/quickstarts/kubernetes-provider-app-launch-after.png)
 
@@ -394,9 +372,9 @@ Ensure that you specify the correct key-value selectors to match the expected da
 
 You can customize the installation by providing additional Helm values when installing the Azure App Configuration Kubernetes Provider. For example, you can set the log level, configure the provider to run on a specific node, or disable the workload identity. Refer to the [installation guide](./reference-kubernetes-provider.md#installation) for more information.
 
-#### Why the workload identity does not work after I upgrade the Azure App Configuration Kubernetes Provider to v2.0.0?
+#### Why am I unable to authenticate with Azure App Configuration using workload identity after upgrading the provider to version 2.0.0?
 
-Start from v2.0.0, per namespace service account should be used for workload identity by default. See the [workload identity](./reference-kubernetes-provider.md#use-workload-identity) documentation for more details. If you still want to use the provider's service account, binding your managed identities to the global service account `az-appconfig-k8s-provider` that been created in `azappconfig-system` namespace, you can enable it by setting `workloadIdentity.globalServiceAccountEnabled=true` at installation time, refer to the [installation guide](./reference-kubernetes-provider.md#installation) for more information.
+Starting with version 2.0.0, a user-provided service account is required for authenticating with Azure App Configuration [using workload identity](./reference-kubernetes-provider.md#use-workload-identity). This change enhances security through namespace isolation. Previously, a Kubernetes provider’s service account was used for all namespaces. For updated instructions, see the documentation on using workload identity. If you need time to migrate when upgrading to version 2.0.0, you can temporarily set `workloadIdentity.globalServiceAccountEnabled=true` during provider installation. Please note that support for using the provider’s service account will be deprecated in a future release.
 
 ## Clean up resources
 
diff --git a/articles/azure-app-configuration/reference-kubernetes-provider.md b/articles/azure-app-configuration/reference-kubernetes-provider.md
@@ -182,19 +182,7 @@ helm install azureappconfiguration.kubernetesprovider \
     --set autoscaling.enabled=true
 ```
 
-### Global service account
-
-By default, the provider uses custom per namespace service account to access Azure App Configuration and Key Vaults. If you still want to use the provider's service account, binding your managed identities to the global service account `az-appconfig-k8s-provider` that been created in `azappconfig-system` namespace, you can enable it by setting `workloadIdentity.globalServiceAccountEnabled=true` at installation time.
-
-```bash
-helm install azureappconfiguration.kubernetesprovider \
-    oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
-    --namespace azappconfig-system \
-    --create-namespace
-    --set workloadIdentity.globalServiceAccountEnabled=true
-```
-
-### Data collection
+## Data collection
 
 The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry by setting the `requestTracing.enabled=false` while installing the Azure App Configuration Kubernetes Provider. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
 
@@ -271,92 +259,50 @@ The software may collect information about you and your use of the software and
 
 1. [Enable Workload Identity](/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster) on the Azure Kubernetes Service (AKS) cluster.
 
-2. [Get the OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) of the AKS cluster.
+1. [Get the OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) of the AKS cluster.
 
-3. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.
+1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.
   
-4. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/azure-app-configuration/concept-enable-rbac#assign-azure-roles-for-access-rights) in Azure App Configuration.
-
-5. Create federated identity credential between the managed identity, OIDC issuer, and subject using the Azure CLI. You can choose to bind the managed identity to the provider global service account or a custom service account.
-
-    ##### [Use custom service account](#tab/custom)
-
-    Create a custom service account in the same namespace as the `AzureAppConfigurationProvider` resource.
+1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/azure-app-configuration/concept-enable-rbac#assign-azure-roles-for-access-rights) in Azure App Configuration.
+   
+1. Create a service account by applying the following sample yaml. Replace `<your-managed-identity-client-id>` with the client ID and `<your-tenant-id>` with the tenant ID of the user-assigned managed identity just been created. Replace `<your-service-account-name>` with your favorite name.
 
-    ``` bash
-    cat <<EOF | kubectl create -f -
+    ``` yaml
     apiVersion: v1
     kind: ServiceAccount
     metadata:
-      name: my-service-account
+      name: <your-service-account-name>
+      namespace: default
       annotations:
-        azure.workload.identity/client-id: <managed-identity-client-id>
-        azure.workload.identity/tenant-id: <tenant-id>
-    EOF
+        azure.workload.identity/client-id: <your-managed-identity-client-id>
+        azure.workload.identity/tenant-id: <your-tenant-id>
     ```
 
-    Create the federated identity credential to bind the managed identity to the custom service account.
+1. Create federated identity credential for the user-assigned managed identity using the Azure CLI.
 
     ``` azurecli
     az identity federated-credential create --name "${FEDERATED_IDENTITY_CREDENTIAL_NAME}" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:default:my-service-account --audience api://AzureADTokenExchange
     ```
 
     The subject of the federated identity credential should be in the format `system:serviceaccount:<service-account-namespace>:<service-account-name>`.
 
-    ##### [Use service account of provider](#tab/global)
-
-    > [!NOTE]
-    > To use the service account of the provider, please ensure the `workloadIdentity.enableGlobalServiceAccount` property is set to `true` while installing the Azure App Configuration Kubernetes Provider.
-    > ```bash
-    > helm install azureappconfiguration.kubernetesprovider \
-    >     oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
-    >     --namespace azappconfig-system \
-    >     --create-namespace \
-    >     --set workloadIdentity.enableGlobalServiceAccount=true
-    > ```
-
-    ``` azurecli
-    az identity federated-credential create --name "${FEDERATED_IDENTITY_CREDENTIAL_NAME}" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider --audience api://AzureADTokenExchange
-    ```
-
-    ---
-
-6. Apply the following sample `AzureAppConfigurationProvider` resource to the Kubernetes cluster.
-   
-    ##### [Use custom service account](#tab/custom)
-
-    ``` yaml
-    apiVersion: azconfig.io/v1
-    kind: AzureAppConfigurationProvider
-    metadata:
-      name: appconfigurationprovider-sample
-    spec:
-      endpoint: <your-app-configuration-store-endpoint>
-      target:
-        configMapName: configmap-created-by-appconfig-provider
-      auth:
-        workloadIdentity:
-          serviceAccountName: my-service-account
-    ```
-
-    ##### [Use service account of provider](#tab/global)
+1. Apply the following sample `AzureAppConfigurationProvider` resource to the Kubernetes cluster. Be sure it's in the same namespace as the service account. Replace `<your-app-configuration-store-endpoint>` with the endpoint of the Azure App Configuration store. Replace `<your-service-account-name>` with the name of the service account just been created.
 
     ``` yaml
     apiVersion: azconfig.io/v1
     kind: AzureAppConfigurationProvider
     metadata:
       name: appconfigurationprovider-sample
+      namespace: default
     spec:
       endpoint: <your-app-configuration-store-endpoint>
       target:
         configMapName: configmap-created-by-appconfig-provider
       auth:
         workloadIdentity:
-          managedIdentityClientId: <your-managed-identity-client-id>
+          serviceAccountName: <your-service-account-name>
     ```
 
-    ---
-
 #### Use connection string
 
 1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add Azure App Configuration connection string with key *azure_app_configuration_connection_string* in the Secret.
