updates

craigshoemaker · craigshoemaker · commit 54e205f39d48 · 2024-04-22T13:47:30.000-06:00
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -162,16 +162,15 @@
   items:
   - name: Overview
     href: certificates-overview.md
-  - name: Manage Key Vault certificates
-    href: key-vault-certificates-manage.md
   - name: Custom domain with a free certificate
     href: custom-domains-managed-certificates.md
     displayName: managed certificate
   - name: Custom domain with an existing certificate
     href: custom-domains-certificates.md        
   - name: Custom DNS suffix for your environment
     href: environment-custom-dns-suffix.md
-
+  - name: Certificates from Key Vault
+    href: key-vault-certificates-manage.md
 - name: Authentication
   items:
     - name: Overview
diff --git a/articles/container-apps/certificates-overview.md b/articles/container-apps/certificates-overview.md
@@ -21,10 +21,9 @@ The following table lists the options available to manage certificates in Contai
 |---|---|
 | [Custom domain with a free certificate](./custom-domains-managed-certificates.md) | A private certificate that's free of charge and easy to use if you just need to secure your custom domain in Container Apps. |
 | [Custom domain with an existing certificate](./custom-domains-certificates) | You can upload a private certificate if you already have one. |
-
-If you chose to manage your own certificate, you can use [Azure Key Vault certificates](./key-vault-certificates-manage.md) to handle security.
+| [Certificates from Azure Key Vault](./key-vault-certificates-manage.md) | When you use Azure Key Vault, you get features like automatic renewal and  notifications for lifecycle events. |
 
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Set up custom domain with an existing certificate](custom-domains-certificates.md)
+> [Certificates from Key Vault](custom-domains-certificates.md)
diff --git a/articles/container-apps/key-vault-certificates-manage.md b/articles/container-apps/key-vault-certificates-manage.md
@@ -1,59 +1,53 @@
 ---
-title: Manage Azure Key Vault certificates in Azure Container Apps
+title: Import certificates from Azure Key Vault to Azure Container Apps
 description: Learn to managing secure certificates in Azure Container Apps.
 services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 04/16/2024
+ms.date: 04/22/2024
 ms.author: cshoe
 ---
 
-# Manage Azure Key Vault certificates in Azure Container Apps
+# Import certificates from Azure Key Vault to Azure Container Apps (preview)
 
-Securing communication across different services requires the management of critical security information such as secrets, credentials, certificates, and keys. Continuing to keep these values current requires reliable methods to handle updates, renewals, and monitoring of all your security related information. Managing these values by hand is error prone and mistakes are tough to detect and fix.
-
-You can set up Azure Key Vault to manage your container app's certificates to handle updates, renewals, and monitoring. Links between your container app environment to Azure Key Vault use managed identity and security best practices.
-
-You can use Azure Key Vault to manage your Container Apps environment's certificates via the `az containerapp env certificate upload` command.
+You can set up Azure Key Vault to manage your container app's certificates to handle updates, renewals, and monitoring. Without Key Vault, you're left managing your certificate manually, which means you can't manage certificates in a central location and can't take advantage of lifecycle automation or notifications.
 
 ## Prerequisites
 
-To manage certificates in Azure Key Vault, you need an existing instance of Key Vault, your container app environment properly configured, and your Azure CLI version up to date.
+- [Azure Key Vault](/azure/key-vault/): Make sure you have a certificate stored in Azure Key Vault.
 
-### Azure Key Vault
-
-An [Azure Key Vault](/azure/key-vault/general/manage-with-cli2) instance is required to store your certificate. Make the following updates to your Key Vault instance:
+- [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-cli.md): By default, your container app doesn't have access to your vault. To use a key vault for a certificate deployment, you must [authorize read access for the resource provider to the vault](../key-vault/general/assign-access-policy-cli.md).
 
-1. Open the [Azure portal](https://portal.azure.com) and find your instance of Azure Key Vault.
+- [Azure CLI](/cli/azure/install-azure-cli): You need the Azure CLI updated with the Azure Container Apps extension version `0.3.49` or higher. Use the `list-available` command to view your extension's version number.
 
-1. Edit the Identity Access Management (IAM) access control and set yourself as a *Key Vault Administrator*.
+    ```azurecli
+    az extension list-available --output table | findstr containerapp
+    ```
 
-1. Go to your certificate's details and copy the value for *Secret Identifier* and paste it into a text editor for use in an upcoming step.
+    If you need to upgrade your extension, then use the `upgrade` parameter with the `add` command:
 
-By default, your container app doesn't have access to your vault. To use a key vault for a certificate deployment, you must [authorize read access for the resource provider to the vault](../key-vault/general/assign-access-policy-cli.md).
+    ```azurecli
+    az extension add --name containerapp --upgrade`
+    ```
 
-### Azure Container Apps
+## Enable managed identity
 
-1. Open the [Azure portal](https://portal.azure.com) and find your instance of your Azure Container Apps environment.
+An [Azure Key Vault](/azure/key-vault/general/manage-with-cli2) instance is required to store your certificate. Make the following updates to your Key Vault instance:
 
-1. Go to the *Identity* tab and set *RBAC* to either **Key Vault Data Access Administrator** or **Key Vault Secrets User**.
+1. Open the [Azure portal](https://portal.azure.com) and find your instance of Azure Key Vault.
 
-### Azure CLI
+1. Edit the Identity Access Management (IAM) access control and set yourself as a *Key Vault Administrator*.
 
-You need the [Azure CLI](/cli/azure/install-azure-cli) with the Azure Container Apps extension version `0.3.49` or higher. Use the `list-available` command to view your extension's version number.
+1. Go to your certificate's details and copy the value for *Secret Identifier* and paste it into a text editor for use in an upcoming step.
 
-```azurecli
-az extension list-available --output table | findstr containerapp
-```
+## Assign roles
 
-If you need to upgrade your extension, then use the `upgrade` parameter with the `add` command:
+1. Open the [Azure portal](https://portal.azure.com) and find your instance of your Azure Container Apps environment where you want to import a certificate.
 
-```azurecli
-az extension add --name containerapp --upgrade`
-```
+1. Go to the *Identity* tab and set *RBAC* to **Key Vault Secrets User**.
 
-## Add a certificate
+## Import a certificate
 
 Once you authorize your container app to read the vault, you can use the `az containerapp env certificate upload` command to associate your vault with your Container Apps environment.
 
@@ -67,7 +61,7 @@ az containerapp env certificate upload \
   --certificate-identity <CERTIFICATE_IDENTITY>
 ```
 
-## Next steps
+## Related
 
 > [!div class="nextstepaction"]
 > [Manage secrets](manage-secrets.md)
