Merge pull request #295138 from dlepow/fixnv

v-dirichards · web-flow · commit 408e66f4cf08 · 2025-02-24T14:05:52.000-06:00
[APIM] Update roles for KV access
diff --git a/articles/api-management/api-management-howto-properties.md b/articles/api-management/api-management-howto-properties.md
@@ -17,7 +17,7 @@ ms.custom: engagement-fy23, devx-track-azurecli
 
 [API Management policies](api-management-howto-policies.md) are a powerful capability of the system that allow the publisher to change the behavior of the API through configuration. Policies are a collection of statements that are executed sequentially on the request or response of an API. Policy statements can be constructed using literal text values, policy expressions, and named values.
 
-*Named values* are a global collection of name/value pairs in each API Management instance. There is no imposed limit on the number of items in the collection. Named values can be used to manage constant string values and secrets across all API configurations and policies. 
+*Named values* are a global collection of name/value pairs in each API Management instance. There's no imposed limit on the number of items in the collection. Named values can be used to manage constant string values and secrets across all API configurations and policies. 
 
 :::image type="content" source="media/api-management-howto-properties/named-values.png" alt-text="Named values in the Azure portal":::
 
@@ -44,10 +44,10 @@ Using key vault secrets is recommended because it helps improve API Management s
 * Secrets updated in the key vault are automatically rotated in API Management. After update in the key vault, a named value in API Management is updated within 4 hours. You can also manually refresh the secret using the Azure portal or via the management REST API.
 
 > [!NOTE]
-> The secrets stored in Azure Key Vault must be between 1 and 4096 characters, as API Management cannot retrieve values that exceed this limit.
+> The secrets stored in Azure Key Vault must be between 1 and 4096 characters, as API Management can't retrieve values that exceed this limit.
 ## Prerequisites
 
-* If you have not created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).
+* If you haven't created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).
 
 ### Prerequisites for key vault integration
 
@@ -59,8 +59,7 @@ Using key vault secrets is recommended because it helps improve API Management s
 
 - Enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md) in the API Management instance.
 
-[!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
-
+[!INCLUDE [api-management-key-vault-secret-access](../../includes/api-management-key-vault-secret-access.md)]
 
 [!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]
 
@@ -134,7 +133,7 @@ az apim nv show --resource-group apim-hello-word-resource-group \
     --service-name apim-hello-world --named-value-id named_value_01
 ```
 
-This example is a secret value. The previous command does not return the value. To see the value, run the [az apim nv show-secret](/cli/azure/apim/nv#az-apim-nv-show-secret) command:
+This example is a secret value. The previous command doesn't return the value. To see the value, run the [az apim nv show-secret](/cli/azure/apim/nv#az-apim-nv-show-secret) command:
 
 ```azurecli
 az apim nv show-secret --resource-group apim-hello-word-resource-group \
diff --git a/articles/api-management/api-management-howto-use-managed-service-identity.md b/articles/api-management/api-management-howto-use-managed-service-identity.md
@@ -123,9 +123,9 @@ The `tenantId` property identifies which Microsoft Entra tenant the identity bel
 
 ## Configure Key Vault access using a managed identity
 
-The following configurations are needed for API Management to access secrets and certificates from an Azure key vault.
+The following configurations are needed for API Management to access certificates from an Azure key vault.
 
-[!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
+[!INCLUDE [api-management-key-vault-certificate-access](../../includes/api-management-key-vault-certificate-access.md)]
 
 [!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]
 
diff --git a/articles/api-management/configure-custom-domain.md b/articles/api-management/configure-custom-domain.md
@@ -89,8 +89,7 @@ To fetch a TLS/SSL certificate, API Management must have the list and get secret
     1. On the **Managed identities** page of your API Management instance, enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). Note the principal ID on that page.
     1.  Assign permissions to the managed identity to access the key vault. Use steps in the following section.
     
-    [!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
-
+    [!INCLUDE [api-management-key-vault-certificate-access](../../includes/api-management-key-vault-certificate-access.md)]
 
 If the certificate is set to `autorenew` and your API Management tier has an SLA (that is, in all tiers except the Developer tier), API Management will pick up the latest version automatically, without downtime to the service.
 
diff --git a/includes/api-management-key-vault-access.md b/includes/api-management-key-vault-access.md
@@ -11,20 +11,14 @@ ms.author: danlep
 1. In the left menu, select **Access configuration**, and note the **Permission model** that is configured.
 1. Depending on the permission model, configure either a [key vault access policy](/azure/key-vault/general/assign-access-policy) or [Azure RBAC access](/azure/key-vault/general/rbac-guide) for an API Management managed identity.
     
-    **To add a key vault access policy:<br/>**
-    
-    1. In the left menu, select **Access policies**.
-    1. On the **Access policies** page,select **+ Create**.
-    1. On the **Permissions** tab, under **Secret permissions**, select **Get** and **List**, then select **Next**.
-    1. On the **Principal** tab,  **Select principal**, search for  the resource name of your managed identity, and then select **Next**.
-         If you're using a system-assigned identity, the principal is the name of your API Management instance.
-    1. Select **Next** again. On the **Review + create** tab, select **Create**.
+**To add a key vault access policy:<br/>**
+
+1. In the left menu, select **Access policies**.
+1. On the **Access policies** page, select **+ Create**.
+1. On the **Permissions** tab, under **Secret permissions**, select **Get** and **List**, then select **Next**.
+1. On the **Principal** tab,  **Select principal**, search for  the resource name of your managed identity, and then select **Next**.
+     If you're using a system-assigned identity, the principal is the name of your API Management instance.
+1. Select **Next** again. On the **Review + create** tab, select **Create**.
+
     
-    **To configure Azure RBAC access:<br/>**
 
-    1. In the left menu, select **Access control (IAM)**.
-    1. On the **Access control (IAM)** page, select **Add role assignment**.
-    1. On the **Role** tab, select **Key Vault Certificate User**.
-    1. On the **Members** tab, select **Managed identity** > **+ Select members**.
-    1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
-    1. Select **Review + assign**.
diff --git a/includes/api-management-key-vault-certificate-access.md b/includes/api-management-key-vault-certificate-access.md
@@ -0,0 +1,17 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 02/21/2025
+ms.author: danlep
+---   
+[!INCLUDE [api-management-key-vault-access](api-management-key-vault-access.md)]
+    
+**To configure Azure RBAC access:<br/>**
+
+1. In the left menu, select **Access control (IAM)**.
+1. On the **Access control (IAM)** page, select **Add role assignment**.
+1. On the **Role** tab, select **Key Vault Certificate User**.
+1. On the **Members** tab, select **Managed identity** > **+ Select members**.
+1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
+1. Select **Review + assign**.
diff --git a/includes/api-management-key-vault-secret-access.md b/includes/api-management-key-vault-secret-access.md
@@ -0,0 +1,17 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 02/21/2025
+ms.author: danlep
+---   
+[!INCLUDE [api-management-key-vault-access](api-management-key-vault-access.md)]
+    
+**To configure Azure RBAC access:<br/>**
+
+1. In the left menu, select **Access control (IAM)**.
+1. On the **Access control (IAM)** page, select **Add role assignment**.
+1. On the **Role** tab, select **Key Vault Secrets User**.
+1. On the **Members** tab, select **Managed identity** > **+ Select members**.
+1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
+1. Select **Review + assign**.
