Merge pull request #225255 from cynthn/gallery-rbac

RBAC

Author: v-regandowner

articles/virtual-machines/azure-compute-gallery.md

@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: gallery
 ms.topic: how-to
 ms.workload: infrastructure
-ms.date: 06/22/2022
+ms.date: 02/14/2023
 ms.author: saraic
 ms.reviewer: cynthn
 ms.custom: template-how-to, devx-track-azurecli 
@@ -23,11 +23,11 @@ The Azure Compute Gallery lets you share custom VM images and application packag
 
 The gallery is a top-level resource that can be shared in multiple ways:
 
-| Share with\: | Option |
-|----|----|
-| [Specific people, groups, or service principals](#create-a-private-gallery) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
-| [Subscriptions or tenants](#create-a-direct-shared-gallery) | Direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |
-| [Everyone](#create-a-community-gallery) | Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |
+| Sharing with: | People | Groups | Service Principal | All users in a specific subscription (or) tenant | Publicly with all users in   Azure |
+|---|---|---|---|---|---|
+| [RBAC Sharing](./share-gallery.md) | Yes | Yes | Yes | No | No |
+| RBAC + [Direct shared gallery](./share-gallery-direct.md)  | Yes | Yes | Yes | Yes | No |
+| RBAC + [Community gallery](./share-gallery-community.md) | Yes | Yes | Yes | No | Yes |
 
 ## Naming
 
@@ -37,16 +37,13 @@ Allowed characters for gallery name are uppercase (A-Z) and lowercase (a-z) lett
 ## Create a private gallery
 
 
-
-
-
 ### [Portal](#tab/portal)
 
 
 
 1. Sign in to the Azure portal at https://portal.azure.com.
 1. Type **Azure Compute Gallery** in the search box and select **Azure Compute Gallery** in the results.
-1. In the **Azure Compute Gallery** page, click **Add**.
+1. In the **Azure Compute Gallery** page, select **Add**.
 1. On the **Create Azure Compute Gallery** page, select the correct subscription.
 1. In **Resource group**, select a resource group from the drop-down or select **Create new** and type a name for the new resource group.
 1. In **Name**, type a name for the name of the gallery.
@@ -118,11 +115,13 @@ PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
 >
 > You can't currently create a Flexible virtual machine scale set from an image shared to you by another tenant.
 
+To start sharing a direct shared gallery with a subscription or tenant, see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).
+
 ### [Portal](#tab/portaldirect)
 
 1. Sign in to the Azure portal at https://portal.azure.com.
 1. Type **Azure Compute Gallery** in the search box and select **Azure Compute Gallery** in the results.
-1. In the **Azure Compute Gallery** page, click **Add**.
+1. In the **Azure Compute Gallery** page, select **Add**.
 1. On the **Create Azure Compute Gallery** page, select the correct subscription.
 1. Complete all of the details on the page.
 1. At the bottom of the page, select **Next: Sharing method**.
@@ -131,7 +130,7 @@ PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
 
    :::image type="content" source="media/create-gallery/share-direct.png" alt-text="Screenshot showing the option to share using both role-based access control and share directly.":::
 
-1. When you are done, select **Review + create**.
+1. When you're done, select **Review + create**.
 1. After validation passes, select **Create**.
 1. When the deployment is finished, select **Go to resource**.
 
@@ -184,12 +183,12 @@ POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/
 
 ---
 
-To start sharing the gallery with a subscription or tenant, use see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).
+
 
 <a name=community></a>
 ## Create a community gallery
 
-A [community gallery](azure-compute-gallery.md#community) is shared publicly with everyone. To create a community gallery, you create the gallery first, then enable it for sharing. The name of public instance of your gallery will be the prefix you provide, plus a unique GUID.
+A [community gallery](azure-compute-gallery.md#community) is shared publicly with everyone. To create a community gallery, you create the gallery first, then enable it for sharing. The name of public instance of your gallery is the prefix you provide, plus a unique GUID.
 
 During the preview, make sure that you create your gallery, image definitions, and image versions in the same region in order to share your gallery publicly.
 
@@ -198,21 +197,21 @@ During the preview, make sure that you create your gallery, image definitions, a
 > 
 > To publish a community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs from the community gallery is open to all Azure users.
 
-When creating an image to share with the community, you'll need to provide contact information. This information will be shown **publicly**, so be careful when providing:
+When creating an image to share with the community, you need to provide contact information. This information is shown **publicly**, so be careful when providing:
 - Community gallery prefix
 - Publisher support email
 - Publisher URL
 - Legal agreement URL
 
-Information from your image definitions will also be publicly available, like what you provide for **Publisher**, **Offer**, and **SKU**.
+Information from your image definitions is also publicly available, like what you provide for **Publisher**, **Offer**, and **SKU**.
 
 ### Prerequisites
 
  Only the owner of a subscription, or a user or service principal assigned to the `Compute Gallery Sharing Admin` role at the subscription or gallery level, can enable a gallery to go public to the community. To assign a role to a user, group, service principal or managed identity, see [Steps to assign an Azure role](../role-based-access-control/role-assignments-steps.md).
 
 ### [CLI](#tab/cli2)
 
-The `--public-name-prefix` value is used to create a name for the public version of your gallery. The `--public-name-prefix` will be the first part of the public name, and the last part will be a GUID, created by the platform, that is unique to your gallery.
+The `--public-name-prefix` value is used to create a name for the public version of your gallery. The `--public-name-prefix` is the first part of the public name, and the last part will be a GUID, created by the platform, that is unique to your gallery.
 
 ```azurecli-interactive
 location=westus
@@ -235,12 +234,12 @@ az sig create \
    --public-name-prefix $prefix
 ``` 
 
-The output of this command will give you the public name for your community gallery in the `sharingProfile` section, under `publicNames`.
+The output of this command gives you the public name for your community gallery in the `sharingProfile` section, under `publicNames`.
 
 To start sharing the gallery to all Azure users, see [Share images using a community gallery](share-gallery-community.md).
 
 ### [REST](#tab/rest2)
-To create gallery, submit a PUT request: 
+To create a gallery, submit a PUT request:
 
 ```rest
 PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/galleries/myGalleryName?api-version=2021-10-01
@@ -309,7 +308,7 @@ To start sharing the gallery to all Azure users, see [Share images using a commu
 ## Next steps
 
 - Create an [image definition and an image version](image-version.md).
-
+- Create a VM from a [generalized](vm-generalized-image-version.md#direct-shared-gallery) or [specialized](vm-specialized-image-version.md#direct-shared-gallery) image in a gallery.
 - [Create a VM application](vm-applications-how-to.md) in your gallery.
 
 

articles/virtual-machines/create-gallery.md

@@ -6,15 +6,13 @@ ms.service: virtual-machines
 ms.subservice: gallery
 ms.topic: how-to
 ms.workload: infrastructure
-ms.date: 05/13/2022
+ms.date: 02/14/2023
 ms.author: saraic
 ms.reviewer: cynthn
 ms.custom: 
 
 ---
 
-
-
 # Create an image definition and an image version 
 
 A [Azure Compute Gallery](shared-image-galleries.md) (formerly known as Shared Image Gallery) simplifies custom image sharing across your organization. Custom images are like marketplace images, but you create them yourself. Images can be created from a VM, VHD, snapshot, managed image, or another image version. 
@@ -325,6 +323,65 @@ PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
 
 ---
 
+## Create an image in one tenant using the source image in another tenant
+
+In the subscription where the source image exists, grant reader permissions to the user. Once the user has reader permission to the source image, login to both accounts (source and target).
+
+You will need the `tenantID` of the source image, the `subscriptionID` for the subscription where the new image will be stored (target), and the `resourceID` of the source image.
+
+### [CLI](#tab/cli2)
+
+```azurecli-interactive
+# Set some variables
+tenantID="<tenant ID for the source image>"
+subID="<subscription ID where the image will be creted>"
+sourceImageID="<resource ID of the source image>"
+
+
+# Log in to the tenant where the source image is available
+az login --tenant $tenantID
+
+# Log back in to the subscription where the image will be created and ensure subscription context is set
+az login
+az account set --subscription $subID
+
+# Create the image
+az sig image-version create `
+   --gallery-image-definition myImageDef `
+   --gallery-image-version 1.0.0 `
+   --gallery-name myGallery `
+   --resource-group myResourceGroup `
+   --image-version $sourceImageID
+```
+
+
+### [PowerShell](#tab/powershell2)
+
+```azurepowershell-interactive
+# Set variables 
+$targetSubID = "<subscription ID for the target>"
+$sourceTenantID = "<tenant ID where for the source image>"
+$sourceImageID = "<resource ID of the source image>"
+
+#Login to the subscription where the new image will be created
+Connect-AzAccount -UseDeviceAuthentication -Subscription $targetSubID
+
+# Login to the tenant where the source image is published
+Connect-AzAccount -Tenant $sourceTenantID -UseDeviceAuthentication 
+
+# Set the context of the subscription where the new image will be created
+Set-AzContext -Subscription $targetSubID 
+
+# Create the image version from another image version in a different tenant
+New-AzGalleryImageVersion \
+   -ResourceGroupName myResourceGroup -GalleryName myGallery \
+   -GalleryImageDefinitionName myImageDef \
+   -Location "West US 2" \
+   -Name 1.0.0 \
+   -SourceImageId $sourceImageID
+```
+
+---
 
 ## Next steps
 

articles/virtual-machines/image-version.md

@@ -11,7 +11,7 @@ ms.reviewer: mattmcinnes
 ---
 # Create and Upload an OpenBSD disk image to Azure
 
-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets 
+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets
 
 This article shows you how to create and upload a virtual hard disk (VHD) that contains the OpenBSD operating system. After you upload it, you can use it as your own image to create a virtual machine (VM) in Azure through Azure CLI.
 

articles/virtual-machines/linux/create-upload-openbsd.md

@@ -33,11 +33,11 @@ Sharing images to the community is a new capability in [Azure Compute Gallery](.
 
 There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
 
-| Share with\: | Option |
-|----|----|
-| [Specific people, groups, or service principals](./share-gallery.md) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
-| [Subscriptions or tenants](./share-gallery-direct.md) | Direct shared gallery lets you share to everyone in a subscription or tenant. |
-| Everyone (described in this article) | Community gallery lets you share your entire gallery publicly, to all Azure users. |
+| Sharing with: | People | Groups | Service Principal | All users in a specific   subscription (or) tenant | Publicly with all users in   Azure |
+|---|---|---|---|---|---|
+| [RBAC Sharing](share-gallery.md) | Yes | Yes | Yes | No | No |
+| RBAC + [Direct shared gallery](./share-gallery-direct.md)  | Yes | Yes | Yes | Yes | No |
+| RBAC + [Community gallery](./share-gallery-community.md) | Yes | Yes | Yes | No | Yes |
 
 ## Limitations for images shared to the community
 
@@ -132,7 +132,7 @@ To delete a gallery shared to community, you must first run `az sig share reset`
 
 Create an [image definition and an image version](image-version.md).
 
-Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-community-gallery-image) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-community-gallery-image) image in a community gallery.
+Create a VM from a [generalized](vm-generalized-image-version.md#community-gallery) or [specialized](vm-specialized-image-version.md#community-gallery) image in a community gallery.
 
 
 

articles/virtual-machines/share-gallery-community.md

@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: gallery
 ms.topic: how-to
 ms.workload: infrastructure
-ms.date: 07/25/2022
+ms.date: 02/14/2023
 ms.author: saraic
 ms.reviewer: cynthn
 ms.custom: template-how-to , devx-track-azurecli 
@@ -29,11 +29,11 @@ This article covers how to share an Azure Compute Gallery with specific subscrip
 
 There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
 
-| Share with\: | Option |
-|----|----|
-| [Specific people, groups, or service principals](./share-gallery.md) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
-| [Subscriptions or tenants](explained in this article) | Direct shared gallery lets you share to everyone in a subscription or tenant (all users, service principals and managed identities) |
-| [Everyone](./share-gallery-community.md) | Community gallery lets you share your entire gallery publicly, to all Azure users. |
+| Sharing with: | People | Groups | Service Principal | All users in a specific   subscription (or) tenant | Publicly with all users in   Azure |
+|---|---|---|---|---|---|
+| [RBAC Sharing](share-gallery.md) | Yes | Yes | Yes | No | No |
+| RBAC + [Direct shared gallery](./share-gallery-direct.md)  | Yes | Yes | Yes | Yes | No |
+| RBAC + [Community gallery](./share-gallery-community.md) | Yes | Yes | Yes | No | Yes |
 
 
 ## Limitations
@@ -227,4 +227,4 @@ POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/
 
 ## Next steps
 - Create an [image definition and an image version](image-version.md).
-- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-gallery-shared-with-your-subscription-or-tenant) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-gallery-shared-with-your-subscription-or-tenant) image from a direct shared image in the target subscription or tenant.
+- Create a VM from a [generalized](vm-generalized-image-version.md#direct-shared-gallery) or [specialized](vm-specialized-image-version.md#direct-shared-gallery) image from a direct shared image in the target subscription or tenant.

articles/virtual-machines/share-gallery-direct.md

@@ -1,12 +1,12 @@
 ---
 title: Share resources in an Azure Compute Gallery
-description: Learn how to share resources explicitly or to all Azure users using role-based access control or community galleries.
+description: Learn how to share resources explicitly or to all Azure users using role-based access control.
 author: sandeepraichura
 ms.service: virtual-machines
 ms.subservice: gallery
 ms.topic: how-to
 ms.workload: infrastructure
-ms.date: 02/01/2023
+ms.date: 02/14/2023
 ms.author: saraic
 ms.reviewer: cynthn
 ms.custom: template-how-to , devx-track-azurecli 
@@ -27,14 +27,15 @@ We recommend sharing at the Gallery level for the best experience. We don't reco
 
 There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
 
-| Share with\: | Option |
-|----|----|
-| Specific people, groups, or service principals (described in this article) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |
-| Share within your organization or even across tenants using an [app registration](share-using-app-registration.md)| Create an app registration use it to share images within your organization or between tenants. |
-| [Subscriptions or tenants](./share-gallery-direct.md) | A direct shared gallery lets you share to everyone in a subscription or tenant. |
-| [Everyone](./share-gallery-community.md) | Community gallery lets you share your entire gallery publicly, to all Azure users. |
+| Sharing with: | People | Groups | Service Principal | All users in a specific subscription (or) tenant | Publicly with all users in   Azure |
+|---|---|---|---|---|---|
+| RBAC Sharing | Yes | Yes | Yes | No | No |
+| RBAC + [Direct shared gallery](./share-gallery-direct.md)  | Yes | Yes | Yes | Yes | No |
+| RBAC + [Community gallery](./share-gallery-community.md) | Yes | Yes | Yes | No | Yes |
 
 
+You can also create an [App registration](./share-using-app-registration.md) to share images between tenants.
+
 ## Share using RBAC
 
 When you share a gallery using RBAC, you need to provide the `imageID` to anyone creating a VM or scale set from the image. There is no way for the person deploying the VM or scale set to list the images that were shared to them using RBAC.
@@ -96,6 +97,6 @@ New-AzRoleAssignment `
 ## Next steps
 
 - Create an [image definition and an image version](image-version.md).
-- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-your-gallery) or [specialized](vm-specialized-image-version.md#create-a-vm-from-your-gallery) private gallery.
+- Create a VM from a [generalized](vm-generalized-image-version.md) or [specialized](vm-specialized-image-version.md) image in a gallery.
 
 

articles/virtual-machines/share-gallery.md

@@ -475,4 +475,4 @@ az sig image-version list-shared \
 ## Next steps
 
 - Create an [image definition and an image version](image-version.md).
-- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-community-gallery-image) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-community-gallery-image) image in a direct shared gallery.
+- Create a VM from a [generalized](vm-generalized-image-version.md) or [specialized](vm-specialized-image-version.md) image in an Azure Compute Gallery.