Merge pull request #283488 from ghugo/gagehugo/managed-identity

Stacyrch140 · web-flow · commit 6f4d51e274c6 · 2024-08-13T13:35:11.000-04:00
Update how-to-credential-manager-key-vault.md
diff --git a/articles/operator-nexus/how-to-credential-manager-key-vault.md b/articles/operator-nexus/how-to-credential-manager-key-vault.md
@@ -22,31 +22,104 @@ Azure Operator Nexus utilizes secrets and certificates to manage component secur
 > [!NOTE]
 > A single Key Vault can be used for any number of clusters.
 
-## Writing Credential Updates to a Customer Key Vault on Nexus Cluster
+## Configure Managed Identity for Cluster Manager
+
+Beginning with the 2024-06-01-public-preview API, managed identities are used in the Cluster Manager for write access to rotated credentials to a key vault. The Cluster Manager identity can be system-assigned or [user-assigned](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities), and can be managed directly via APIs or via CLI.
+
+These examples describe how to configure a managed identity for a Cluster Manager.
+
+- Create or update Cluster Manager with system-assigned identity
+```
+        az networkcloud clustermanager create --name "clusterManagerName" --location "location" \
+        --analytics-workspace-id "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/microsoft.operationalInsights/workspaces/logAnalyticsWorkspaceName" \
+        --fabric-controller-id "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/fabricControllerName" \
+        --managed-resource-group-configuration name="my-managed-rg" --tags key1="myvalue1" key2="myvalue2" --resource-group "resourceGroupName" --mi-system-assigned
+```
+
+- Create or update Cluster Manager with user-assigned identity
+```
+        az networkcloud clustermanager create --name <Cluster Manager Name> --location <Location> \
+        --analytics-workspace-id "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/microsoft.operationalInsights/workspaces/logAnalyticsWorkspaceName" \
+        --fabric-controller-id "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/fabricControllerName" \
+        --managed-resource-group-configuration name="my-managed-rg" --tags key1="myvalue1" key2="myvalue2" \
+        --resource-group <Resource Group Name> --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAI"
+```
+
+- Add system assigned identity to Cluster Manager
+```
+        az networkcloud clustermanager update --name <Cluster Manager Name> --resource-group <Resource Group Name> --mi-system-assigned
+```
+
+- Add user assigned identity to Cluster Manager
+```
+        az networkcloud clustermanager update --name <Cluster Manager Name> --resource-group <Resource Group Name> \
+        --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAI"
+```
+
+## Get the Principal ID for the Managed Identity
+
+Once a managed identity is configured, use the CLI to view the identity and the associated principal ID data within the cluster manager.
+
+Example:
+
+```console
+az networkcloud clustermanager show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Manager Resource Group Name>/providers/Microsoft.NetworkCloud/clusterManagers/<Cluster Manager Name>
+```
+
+System-assigned identity example:
+```
+    "identity": {
+        "principalId": "2cb564c1-b4e5-4c71-bbc1-6ae259aa5f87",
+        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+        "type": "SystemAssigned"
+    },
+```
+
+User-assigned identity example:
+```
+    "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+            "/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
+                "clientId": "e67dd610-99cf-4853-9fa0-d236b214e984",
+                "principalId": "8e6d23d6-bb6b-4cf3-a00f-4cd640ab1a24"
+            }
+        }
+    },
+```
+
+## Using App IDs for Key Vault Access
+
+> [!IMPORTANT]
+> Use of App IDs for Customer Key Vault access is deprecated and support will be removed in a future version. It is recommended to use managed identity principals.
+
+Instead of managed identities, the following application IDs grant access to the Key Vault.
 
 - Ensure that the *Microsoft.NetworkCloud* resource provider is registered with the customer subscription.
 
 ```console
 az provider register --namespace 'Microsoft.NetworkCloud' --subscription <Subscription ID>
 ```
 
-- Assign the *Operator Nexus Key Vault Writer Service Role*. Ensure that *Azure role-based access control* is selected as the permission model for the key vault on the *Access configuration* view. Then from the *Access control (IAM)* view, select to add a role assignment.
-
-| Role Name                                              | Role Definition ID                   |
-|:-------------------------------------------------------|:-------------------------------------|
-| Operator Nexus Key Vault Writer Service Role (Preview) | 44f0a1a8-6fea-4b35-980a-8ff50c487c97 |
+- When assigned role access to the key vault, use the following App IDs as principal IDs.
 
 | Environment | App Name              | App ID                               |
 |:------------|:----------------------|:-------------------------------------|
 | Production  | AFOI-NC-RP-PME-PROD   | 05cf5e27-931d-47ad-826d-cb9028d8bd7a |
 | Production  | AFOI-NC-MGMT-PME-PROD | 3365d4ea-bb16-4bc9-86dd-f2c8cf6f1f56 |
 
+## Writing Credential Updates to a Customer Key Vault on Nexus Cluster
+
+- Assign the *Operator Nexus Key Vault Writer Service Role*. Ensure that *Azure role-based access control* is selected as the permission model for the key vault on the *Access configuration* view. Then from the *Access Control* view, select to add a role assignment.
+
+| Role Name                                              | Role Definition ID                   |
+|:-------------------------------------------------------|:-------------------------------------|
+| Operator Nexus Key Vault Writer Service Role (Preview) | 44f0a1a8-6fea-4b35-980a-8ff50c487c97 |
+
 Example:
 
 ```console
-az role assignment create --assignee 05cf5e27-931d-47ad-826d-cb9028d8bd7a --role 44f0a1a8-6fea-4b35-980a-8ff50c487c97 --scope /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.KeyVault/vaults/<Key Vault Name>
-
-az role assignment create --assignee 3365d4ea-bb16-4bc9-86dd-f2c8cf6f1f56 --role 44f0a1a8-6fea-4b35-980a-8ff50c487c97 --scope /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.KeyVault/vaults/<Key Vault Name>
+az role assignment create --assignee <Managed Identity Principal Id> --role 44f0a1a8-6fea-4b35-980a-8ff50c487c97 --scope /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.KeyVault/vaults/<Key Vault Name>
 ```
 
 - User associates the Customer Key Vault with the Operator Nexus cluster. The key vault resource ID must be configured in the cluster and enabled to store the secrets of the cluster.
