Merge pull request #101624 from mgreenegit/patch-12

PRMerger18 · web-flow · commit 4f6a144f1c07 · 2020-01-17T20:49:39.000-08:00
remove section for now
diff --git a/articles/governance/policy/how-to/guest-configuration-create.md b/articles/governance/policy/how-to/guest-configuration-create.md
@@ -232,55 +232,6 @@ You could also implement
 for machines in a private network, although this configuration applies only to accessing the package
 and not communicating with the service.
 
-### Working with secrets in Guest Configuration packages
-
-In Azure Policy Guest Configuration, the optimal way to manage secrets used at run time is to store
-them in Azure Key Vault. This design is implemented within custom DSC resources.
-
-1. Create a user-assigned managed identity in Azure.
-
-   The identity is used by machines to access secrets stored in Key Vault. For detailed steps, see
-   [Create, list or delete a user-assigned managed identity using Azure PowerShell](../../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md).
-
-1. Create a Key Vault instance.
-
-   For detailed steps, see [Set and retrieve a secret - PowerShell](../../../key-vault/quick-create-powershell.md).
-   Assign permissions to the instance to give the user-assigned identity access to secrets stored in
-   Key Vault. For detailed steps, see
-   [Set and retrieve a secret - .NET](../../../key-vault/quick-create-net.md#give-the-service-principal-access-to-your-key-vault).
-
-1. Assign the user-assigned identity to your machine.
-
-   For detailed steps, see
-   [Configure managed identities for Azure resources on an Azure VM using PowerShell](../../../active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md#user-assigned-managed-identity).
-   Assign this identity using Azure Resource Manager via Azure Policy at scale. For detailed steps,
-   see
-   [Configure managed identities for Azure resources on an Azure VM using a template](../../../active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md#assign-a-user-assigned-managed-identity-to-an-azure-vm).
-
-1. Use the client ID generated above within your custom resource to access Key Vault using the token
-   available from the machine.
-
-   The `client_id` and url to the Key Vault instance can be passed to the resource as
-   [properties](/powershell/scripting/dsc/resources/authoringresourcemof#creating-the-mof-schema) so
-   the resource won't need to be updated for multiple environments or if the values need to be
-   changed.
-
-The following code sample can be used in a custom resource to retrieve secrets from Key Vault using
-a user-assigned identity. The value returned from the request to Key Vault is plain text. As a best
-practice, store it within a credential object.
-
-```azurepowershell-interactive
-# the following values should be input as properties
-$client_id = 'e3a78c9b-4dd2-46e1-8bfa-88c0574697ce'
-$keyvault_url = 'https://keyvaultname.vault.azure.net/secrets/mysecret'
-
-$access_token = ((Invoke-WebRequest -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=$client_id&resource=https%3A%2F%2Fvault.azure.net" -Method GET -Headers @{Metadata='true'}).Content | ConvertFrom-Json).access_token
-
-$value = ((Invoke-WebRequest -Uri $($keyvault_url+'?api-version=2016-10-01') -Method GET -Headers @{Authorization="Bearer $access_token"}).content | convertfrom-json).value |  ConvertTo-SecureString -asplaintext -force
-
-$credential = New-Object System.Management.Automation.PSCredential('secret',$value)
-```
-
 ## Test a Guest Configuration package
 
 After creating the Configuration package but before publishing it to Azure, you can test the
