Merge pull request #96211 from jacwil/patch-3

Jak-MS · web-flow · commit 7428b3d8f856 · 2022-09-26T13:31:05.000-07:00
Update key-vault-linux.md
diff --git a/articles/virtual-machines/extensions/key-vault-linux.md b/articles/virtual-machines/extensions/key-vault-linux.md
@@ -100,8 +100,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
           "observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: ["https://myvault.vault.azure.net/secrets/mycertificate", "https://myvault.vault.azure.net/secrets/mycertificate2"]>
         },
         "authenticationSettings": {
-                "msiEndpoint":  <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,
-                "msiClientId":  <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">
+          "msiEndpoint":  <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,
+          "msiClientId":  <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>
         }
        }
       }
@@ -114,7 +114,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio
 > This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
 
 > [!IMPORTANT]
-> The 'authenticationSettings' property is **required** for VMs with **user assigned identities**.
+> The 'authenticationSettings' property is **required** for VMs with any **user assigned identities**. Even if you want to use a system assigned identity this is still required otherwise the VM extension will not know which identity to use. Without this section, a VM with user assigned identities will result in the Key Vault extension failing and being unable to download certificates.
 > Set msiClientId to the identity that will authenticate to Key Vault.
 > 
 > Also **required** for **Azure Arc-enabled VMs**.

Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,8 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`100`	`100`	`"observedCertificates": <list of KeyVault URIs representing monitored certificates, e.g.: ["https://myvault.vault.azure.net/secrets/mycertificate", "https://myvault.vault.azure.net/secrets/mycertificate2"]>`
`101`	`101`	`},`
`102`	`102`	`"authenticationSettings": {`
`103`		`- "msiEndpoint": <Optional MSI endpoint e.g.: "http://169.254.169.254/metadata/identity">,`
`104`		`- "msiClientId": <Optional MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619">`
	`103`	`+ "msiEndpoint": <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,`
	`104`	`+ "msiClientId": <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`	`}`
`@@ -114,7 +114,7 @@ The following JSON shows the schema for the Key Vault VM extension. The extensio`
`114`	`114`	> This is because the `/secrets` path returns the full certificate, including the private key, while the `/certificates` path does not. More information about certificates can be found here: [Key Vault Certificates](../../key-vault/general/about-keys-secrets-certificates.md)
`115`	`115`
`116`	`116`	`> [!IMPORTANT]`
`117`		`-> The 'authenticationSettings' property is required for VMs with user assigned identities.`
	`117`	`+> The 'authenticationSettings' property is required for VMs with any user assigned identities. Even if you want to use a system assigned identity this is still required otherwise the VM extension will not know which identity to use. Without this section, a VM with user assigned identities will result in the Key Vault extension failing and being unable to download certificates.`
`118`	`118`	`> Set msiClientId to the identity that will authenticate to Key Vault.`
`119`	`119`	`>`
`120`	`120`	`> Also required for Azure Arc-enabled VMs.`