[APIM] KV access updates

gitName · gitName · commit a094065ee01e · 2025-02-21T15:52:00.000-08:00
diff --git a/articles/api-management/api-management-howto-properties.md b/articles/api-management/api-management-howto-properties.md
@@ -61,6 +61,7 @@ Using key vault secrets is recommended because it helps improve API Management s
 
 [!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
 
+[!INCLUDE [api-management-key-vault-secret-access](../../includes/api-management-key-vault-secret-access.md)]
 
 [!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]
 
diff --git a/articles/api-management/api-management-howto-use-managed-service-identity.md b/articles/api-management/api-management-howto-use-managed-service-identity.md
@@ -123,10 +123,12 @@ The `tenantId` property identifies which Microsoft Entra tenant the identity bel
 
 ## Configure Key Vault access using a managed identity
 
-The following configurations are needed for API Management to access secrets and certificates from an Azure key vault.
+The following configurations are needed for API Management to access certificates from an Azure key vault.
 
 [!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
 
+[!INCLUDE [api-management-key-vault-certificate-access](../../includes/api-management-key-vault-certificate-access.md)]
+
 [!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]
 
 ## Supported scenarios using system-assigned identity
diff --git a/articles/api-management/configure-custom-domain.md b/articles/api-management/configure-custom-domain.md
@@ -91,6 +91,7 @@ To fetch a TLS/SSL certificate, API Management must have the list and get secret
     
     [!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
 
+    [!INCLUDE [api-management-key-vault-certificate-access](../../includes/api-management-key-vault-certificate-access.md)]
 
 If the certificate is set to `autorenew` and your API Management tier has an SLA (that is, in all tiers except the Developer tier), API Management will pick up the latest version automatically, without downtime to the service.
 
diff --git a/includes/api-management-key-vault-access.md b/includes/api-management-key-vault-access.md
@@ -19,12 +19,3 @@ ms.author: danlep
     1. On the **Principal** tab,  **Select principal**, search for  the resource name of your managed identity, and then select **Next**.
          If you're using a system-assigned identity, the principal is the name of your API Management instance.
     1. Select **Next** again. On the **Review + create** tab, select **Create**.
-    
-    **To configure Azure RBAC access:<br/>**
-
-    1. In the left menu, select **Access control (IAM)**.
-    1. On the **Access control (IAM)** page, select **Add role assignment**.
-    1. On the **Role** tab, select **Key Vault Secrets User**.
-    1. On the **Members** tab, select **Managed identity** > **+ Select members**.
-    1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
-    1. Select **Review + assign**.
diff --git a/includes/api-management-key-vault-certificate-access.md b/includes/api-management-key-vault-certificate-access.md
@@ -0,0 +1,15 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 02/21/2025
+ms.author: danlep
+---   
+**To configure Azure RBAC access:<br/>**
+
+1. In the left menu, select **Access control (IAM)**.
+1. On the **Access control (IAM)** page, select **Add role assignment**.
+1. On the **Role** tab, select **Key Vault Certificate User**.
+1. On the **Members** tab, select **Managed identity** > **+ Select members**.
+1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
+1. Select **Review + assign**.
diff --git a/includes/api-management-key-vault-secret-access.md b/includes/api-management-key-vault-secret-access.md
@@ -0,0 +1,15 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 02/21/2025
+ms.author: danlep
+---   
+**To configure Azure RBAC access:<br/>**
+
+1. In the left menu, select **Access control (IAM)**.
+1. On the **Access control (IAM)** page, select **Add role assignment**.
+1. On the **Role** tab, select **Key Vault Secrets User**.
+1. On the **Members** tab, select **Managed identity** > **+ Select members**.
+1. On the **Select managed identity** page, select the system-assigned managed identity or a user-assigned managed identity associated with your API Management instance, and then select **Select**.
+1. Select **Review + assign**.

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,7 @@ Using key vault secrets is recommended because it helps improve API Management s`
`61`	`61`
`62`	`62`	`[!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]`
`63`	`63`
	`64`	`+[!INCLUDE [api-management-key-vault-secret-access](../../includes/api-management-key-vault-secret-access.md)]`
`64`	`65`
`65`	`66`	`[!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]`
`66`	`67`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ To fetch a TLS/SSL certificate, API Management must have the list and get secret`
`91`	`91`
`92`	`92`	`[!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]`
`93`	`93`
	`94`	`+ [!INCLUDE [api-management-key-vault-certificate-access](../../includes/api-management-key-vault-certificate-access.md)]`
`94`	`95`
`95`	`96`	If the certificate is set to `autorenew` and your API Management tier has an SLA (that is, in all tiers except the Developer tier), API Management will pick up the latest version automatically, without downtime to the service.
`96`	`97`