Merge pull request #207227 from ArchangelSDY/signalr-custom-domain

SignalR/Web PubSub: Add key vault RBAC content

Author: v-regandowner

articles/azure-signalr/howto-custom-domain.md

@@ -33,6 +33,14 @@ Azure SignalR Service uses Managed Identity to access your Key Vault. In order t
 
    :::image type="content" alt-text="Screenshot of enabling managed identity." source="media\howto-custom-domain\portal-identity.png" :::
 
+Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.
+
+#### [Vault access policy](#tab/vault-access-policy)
+
+If you're using Key Vault built-in access policy as Key Vault permission model:
+
+   :::image type="content" alt-text="Screenshot of built-in access policy selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-access-policy.png" :::
+
 1. Go to your Key Vault resource.
 1. In the menu pane, select **Access configuration**. Click **Go to access policies**.
 1. Click **Create**. Select **Secret Get** permission and **Certificate Get** permission. Click **Next**.
@@ -46,6 +54,30 @@ Azure SignalR Service uses Managed Identity to access your Key Vault. In order t
 1. Skip **Application (optional)**. Click **Next**.
 1. In **Review + create**, click **Create**.
 
+#### [Azure role-based access control](#tab/azure-rbac)
+
+If you're using Azure role-based access control as Key Vault permission model:
+
+   :::image type="content" alt-text="Screenshot of Azure RBAC selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-rbac.png" :::
+
+1. Go to your Key Vault resource.
+1. In the menu pane, select **Access control (IAM)**.
+1. Click **Add**. Select **Add role assignment**.
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-iam.png" :::
+
+1. Under the **Role** tab, select **Key Vault Secrets User**. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of role tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-role.png" :::
+
+1. Under the **Members** tab, select **Managed identity**. 1. Search for the Azure SignalR Service resource name or the user assigned identity name. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of members tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-members.png" :::
+
+1. Click **Review + assign**.
+
+-----
+
 ### Step 2: Create a custom certificate
 
 1. In the Azure portal, go to your Azure SignalR Service resource.

articles/azure-signalr/media/howto-custom-domain/portal-key-vault-iam.png

@@ -32,6 +32,14 @@ Azure Web PubSub Service uses Managed Identity to access your Key Vault. In orde
 
    :::image type="content" alt-text="Screenshot of enabling managed identity." source="media\howto-custom-domain\portal-identity.png" :::
 
+Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.
+
+#### [Vault access policy](#tab/vault-access-policy)
+
+If you're using Key Vault built-in access policy as Key Vault permission model:
+
+   :::image type="content" alt-text="Screenshot of built-in access policy selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-access-policy.png" :::
+
 1. Go to your Key Vault resource.
 1. In the menu pane, select **Access configuration**. Click **Go to access policies**.
 1. Click **Create**. Select **Secret Get** permission and **Certificate Get** permission. Click **Next**.
@@ -45,6 +53,30 @@ Azure Web PubSub Service uses Managed Identity to access your Key Vault. In orde
 1. Skip **Application (optional)**. Click **Next**.
 1. In **Review + create**, click **Create**.
 
+#### [Azure role-based access control](#tab/azure-rbac)
+
+If you're using Azure role-based access control as Key Vault permission model:
+
+   :::image type="content" alt-text="Screenshot of Azure RBAC selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-rbac.png" :::
+
+1. Go to your Key Vault resource.
+1. In the menu pane, select **Access control (IAM)**.
+1. Click **Add**. Select **Add role assignment**.
+
+   :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-iam.png" :::
+
+1. Under the **Role** tab, select **Key Vault Secrets User**. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of role tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-role.png" :::
+
+1. Under the **Members** tab, select **Managed identity**. 1. Search for the Azure Web PubSub Service resource name or the user assigned identity name. Click **Next**.
+
+   :::image type="content" alt-text="Screenshot of members tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-members.png" :::
+
+1. Click **Review + assign**.
+
+-----
+
 ### Step 2: Create a custom certificate
 
 1. In the Azure portal, go to your Azure Web PubSub Service resource.