Merge pull request #100601 from jaysterp/patch-8

[ACR] Add Key Vault TSG for Transfer feature

Author: jborsecnik

articles/container-registry/container-registry-transfer-troubleshooting.md

@@ -12,6 +12,9 @@ ms.topic: article
 * **Template deployment failures or errors**
   * If a pipeline run fails, look at the `pipelineRunErrorMessage` property of the run resource.
   * For common template deployment errors, see [Troubleshoot ARM template deployments](../azure-resource-manager/templates/template-tutorial-troubleshoot.md)
+* **Problems accessing Key Vault**<a name="problems-accessing-key-vault"></a>
+  * If your pipelineRun deployment fails with a `403 Forbidden` error when accessing Azure Key Vault, verify that your pipeline managed identity has adequate permissions.
+  * A pipelineRun uses the exportPipeline or importPipeline managed identity to fetch the SAS token secret from your Key Vault. ExportPipelines and importPipelines are provisioned with either a system-assigned or user-assigned managed identity. This managed identity is required to have `secret get` permissions on the Key Vault in order to read the SAS token secret. Ensure that an access policy for the managed identity was added to the Key Vault. For more information, reference [Give the ExportPipeline identity keyvault policy access](./container-registry-transfer-cli.md#give-the-exportpipeline-identity-keyvault-policy-access) and [Give the ImportPipeline identity keyvault policy access](./container-registry-transfer-cli.md#give-the-importpipeline-identity-keyvault-policy-access).
 * **Problems accessing storage**<a name="problems-accessing-storage"></a>
   * If you see a `403 Forbidden` error from storage, you likely have a problem with your SAS token.
   * The SAS token might not currently be valid. The SAS token might be expired or the storage account keys might have changed since the SAS token was created. Verify that the SAS token is valid by attempting to use the SAS token to authenticate for access to the storage account container. For example, put an existing blob endpoint followed by the SAS token in the address bar of a new Microsoft Edge InPrivate window or upload a blob to the container with the SAS token by using `az storage blob upload`.
@@ -54,4 +57,4 @@ ms.topic: article
 [az-deployment-group-show]: /cli/azure/deployment/group#az_deployment_group_show
 [az-acr-repository-list]: /cli/azure/acr/repository#az_acr_repository_list
 [az-acr-import]: /cli/azure/acr#az_acr_import
-[az-resource-delete]: /cli/azure/resource#az_resource_delete
+[az-resource-delete]: /cli/azure/resource#az_resource_delete