Addressing GitIssues

schaffererin · schaffererin · commit 2d7fe2253b86 · 2023-02-28T14:36:47.000-08:00
diff --git a/articles/aks/update-credentials.md b/articles/aks/update-credentials.md
@@ -1,23 +1,16 @@
 ---
-title: Reset the credentials for a cluster
-titleSuffix: Azure Kubernetes Service
-description: Learn how update or reset the service principal or Azure AD Application credentials for an Azure Kubernetes Service (AKS) cluster.
+title: Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
+description: Learn how update or rotate the service principal or Azure AD Application credentials for an Azure Kubernetes Service (AKS) cluster.
 ms.topic: article
-ms.date: 03/11/2019
-
+ms.date: 02/28/2023
 ---
 
-# Update or rotate the credentials for Azure Kubernetes Service (AKS)
-
-AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. This article details how to update these credentials for an AKS cluster.
+# Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
 
-You may also have [integrated your AKS cluster with Azure Active Directory (Azure AD)][aad-integration], and use it as an authentication provider for your cluster. In that case you will have 2 more identities created for your cluster, the Azure AD Server App and the Azure AD Client App, you may also reset those credentials.
-
-Alternatively, you can use a managed identity for permissions instead of a service principal. Managed identities are easier to manage than service principals and do not require updates or rotations. For more information, see [Use managed identities](use-managed-identity.md).
+AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. AKS clusters [integrated with Azure Active Directory (Azure AD)][aad-integration] as an authentication provider have two more identities: the Azure AD Server App and the Azure AD Client App. This article details how to update the service principal and Azure AD credentials for an AKS cluster.
 
 > [!NOTE]
-> - When you use the `az aks create` command to generate the service principal automatically, the service principal credentials are written to the file `~/.azure/aksServicePrincipal.json` on the machine used to run the command
-> - If you don't specify a service principal with Azure CLI commands, the default service principal located at `~/.azure/aksServicePrincipal.json` is used
+> Alternatively, you can use a managed identity for permissions instead of a service principal. Managed identities don't require updates or rotations. For more information, see [Use managed identities](use-managed-identity.md).
 
 ## Before you begin
 
@@ -28,24 +21,24 @@ You need the Azure CLI version 2.0.65 or later installed and configured. Run `a
 When you want to update the credentials for an AKS cluster, you can choose to either:
 
 * Update the credentials for the existing service principal.
-* Create a new service principal and update the cluster to use these new credentials. 
+* Create a new service principal and update the cluster to use these new credentials.
 
 > [!WARNING]
 > If you choose to create a *new* service principal, wait around 30 minutes for the service principal permission to propagate across all regions. Updating a large AKS cluster to use these credentials may take a long time to complete.
 
 ### Check the expiration date of your service principal
 
-To check the expiration date of your service principal, use the [az ad sp credential list][az-ad-sp-credential-list] command. The following example gets the service principal ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group using the [az aks show][az-aks-show] command. The service principal ID is set as a variable named *SP_ID* for use with the [az ad sp credential list][az-ad-sp-credential-list] command.
+To check the expiration date of your service principal, use the [`az ad app credential list`][az-ad-app-credential-list] command. The following example gets the service principal ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group using the [`az aks show`][az-aks-show] command. The service principal ID is set as a variable named *SP_ID*.
 
 ```azurecli
 SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
     --query servicePrincipalProfile.clientId -o tsv)
 az ad app credential list --id "$SP_ID" --query "[].endDateTime" -o tsv
 ```
 
-### Reset the existing service principal credential
+### Reset the existing service principal credentials
 
-To update the credentials for the existing service principal, get the service principal ID of your cluster using the [az aks show][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* for use in additional command. These commands use Bash syntax.
+To update the credentials for the existing service principal, get the service principal ID of your cluster using the [`az aks show`][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* to use in additional command. These commands use Bash syntax.
 
 > [!WARNING]
 > When you reset your cluster credentials on an AKS cluster that uses Azure Virtual Machine Scale Sets, a [node image upgrade][node-image-upgrade] is performed to update your nodes with the new credential information.
@@ -55,25 +48,26 @@ SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
     --query servicePrincipalProfile.clientId -o tsv)
 ```
 
-With a variable set that contains the service principal ID, now reset the credentials using [az ad sp credential reset][az-ad-sp-credential-reset]. The following example lets the Azure platform generate a new secure secret for the service principal. This new secure secret is also stored as a variable.
+Use the variable containing the service principal ID to reset the credentials using the [`az ad app credential reset`][az-ad-app-credential-reset] command. The following example enables the Azure platform to generate a new secure secret for the service principal and stores it as a variable named *SP_SECRET*.
 
 ```azurecli-interactive
 SP_SECRET=$(az ad app credential reset --id "$SP_ID" --query password -o tsv)
 ```
 
-Now continue on to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Next, you can [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
 
 ### Create a new service principal
 
-If you chose to update the existing service principal credentials in the previous section, skip this step. Continue to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials).
+> [!NOTE]
+> If you updated the existing service principal credentials in the previous section, skip this section and instead [update the AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials).
 
-To create a service principal and then update the AKS cluster to use these new credentials, use the [az ad sp create-for-rbac][az-ad-sp-create] command.
+To create a service principal and update the AKS cluster to use the new credentials, use the [`az ad sp create-for-rbac`][az-ad-sp-create] command.
 
 ```azurecli-interactive
 az ad sp create-for-rbac --role Contributor --scopes /subscriptions/mySubscriptionID
 ```
 
-The output is similar to the following example. Make a note of your own `appId` and `password`. These values are used in the next step.
+The output is similar to the following example output. Make a note of your own `appId` and `password` to use in the next step.
 
 ```json
 {
@@ -84,39 +78,34 @@ The output is similar to the following example. Make a note of your own `appId`
 }
 ```
 
-Now define variables for the service principal ID and client secret using the output from your own [az ad sp create-for-rbac][az-ad-sp-create] command, as shown in the following example. The *SP_ID* is your *appId*, and the *SP_SECRET* is your *password*:
+Define variables for the service principal ID and client secret using your output from running the [`az ad sp create-for-rbac`][az-ad-sp-create] command. The *SP_ID* is your *appId*, and the *SP_SECRET* is your *password*.
 
 ```console
 SP_ID=7d837646-b1f3-443d-874c-fd83c7c739c5
 SP_SECRET=a5ce83c9-9186-426d-9183-614597c7f2f7
 ```
 
-Now continue on to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Next, you can [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
 
 ## Update AKS cluster with new service principal credentials
 
 > [!IMPORTANT]
-> For large clusters, updating the AKS cluster with a new service principal may take a long time to complete. Consider reviewing and customizing the [node surge upgrade settings][node-surge-upgrade] to minimize disruption during cluster updates and upgrades.
+> For large clusters, updating the AKS cluster with a new service principal may take a long time to complete. Consider reviewing and customizing the [node surge upgrade settings][node-surge-upgrade] to minimize disruption during cluster updates and upgrades. For small and midsize clusters, it takes a few moments for the new credentials to update in the cluster.
 
-Regardless of whether you chose to update the credentials for the existing service principal or create a service principal, you now update the AKS cluster with your new credentials using the [az aks update-credentials][az-aks-update-credentials] command. The variables for the *--service-principal* and *--client-secret* are used:
+Update the AKS cluster with your new credentials using the [`az aks update-credentials`][az-aks-update-credentials] command.
 
 ```azurecli-interactive
 az aks update-credentials \
     --resource-group myResourceGroup \
     --name myAKSCluster \
     --reset-service-principal \
     --service-principal "$SP_ID" \
-    --client-secret "${SP_SECRET:Q}"
+    --client-secret "${SP_SECRET}"
 ```
 
-> [!NOTE]
-> `${SP_SECRET:Q}` escapes any special characters in `SP_SECRET`, which can cause the command to fail. The above example works for Azure Cloud Shell and zsh terminals. For BASH terminals, use `${SP_SECRET@Q}`.
-
-For small and midsize clusters, it takes a few moments for the service principal credentials to be updated in the AKS.
+## Update AKS cluster with new Azure AD application credentials
 
-## Update AKS Cluster with new Azure AD Application credentials
-
-You may create new Azure AD Server and Client applications by following the [Azure AD integration steps][create-aad-app]. Or reset your existing Azure AD Applications following the [same method as for service principal reset](#reset-the-existing-service-principal-credential). After that you just need to update your cluster Azure AD Application credentials using the same [az aks update-credentials][az-aks-update-credentials] command but using the *--reset-aad* variables.
+You can create new Azure AD server and client applications by following the [Azure AD integration steps][create-aad-app], or reset your existing Azure AD applications following the [same method as for service principal reset](#reset-the-existing-service-principal-credentials). After that, you need to update your cluster Azure AD application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables.
 
 ```azurecli-interactive
 az aks update-credentials \
@@ -128,10 +117,9 @@ az aks update-credentials \
     --aad-client-app-id <CLIENT APPLICATION ID>
 ```
 
-
 ## Next steps
 
-In this article, the service principal for the AKS cluster itself and the Azure AD Integration Applications were updated. For more information on how to manage identity for workloads within a cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
+In this article, you learned how to update or rotate service principal and Azure AD application credentials. For more information on how to manage identity for workloads within an AKS cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
 
 <!-- LINKS - internal -->
 [install-azure-cli]: /cli/azure/install-azure-cli
@@ -141,7 +129,7 @@ In this article, the service principal for the AKS cluster itself and the Azure
 [aad-integration]: ./azure-ad-integration-cli.md
 [create-aad-app]: ./azure-ad-integration-cli.md#create-azure-ad-server-component
 [az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
-[az-ad-sp-credential-list]: /cli/azure/ad/sp/credential#az_ad_sp_credential_list
-[az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az_ad_sp_credential_reset
+[az-ad-app-credential-list]: /cli/azure/ad/app/credential#az_ad_app_credential_list
+[az-ad-app-credential-reset]: /cli/azure/ad/app/credential#az_ad_app_credential_reset
 [node-image-upgrade]: ./node-image-upgrade.md
 [node-surge-upgrade]: upgrade-cluster.md#customize-node-surge-upgrade
