Merge pull request #231581 from tejaswikolli-web/17201017

denrea · web-flow · commit b1ca3e9bd1db · 2023-03-30T13:44:35.000-07:00
Identity expiry error
diff --git a/articles/container-registry/tutorial-troubleshoot-customer-managed-keys.md b/articles/container-registry/tutorial-troubleshoot-customer-managed-keys.md
@@ -19,7 +19,7 @@ If you try to remove a user-assigned or system-assigned managed identity that yo
 Azure resource '/subscriptions/xxxx/resourcegroups/myGroup/providers/Microsoft.ContainerRegistry/registries/myRegistry' does not have access to identity 'xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx' Try forcibly adding the identity to the registry <registry name>. For more information on bring your own key, please visit 'https://aka.ms/acr/cmk'.
 ```
  
-You also won't be able to change (rotate) the encryption key. The resolution steps depend on the type of identity that you used for encryption.
+You're unable to change (rotate) the encryption key. The resolution steps depend on the type of identity that you used for encryption.
 
 ### Removing a user-assigned identity
 
@@ -48,9 +48,24 @@ If you enable a key vault firewall or virtual network after creating an encrypte
 
 If the problem persists, contact Azure Support.
 
+## Identity expiry error
+
+The identity attached to a registry is set for autorenewal to avoid expiry. If you disassociate an identity from a registry, an error message occurs explaining to you can't remove the identity in use for CMK. Attempting to remove the identity jeopardizes the autorenewal of identity. The artifact pull/push operations work until the identity expires (Usually three months). After the identity expiration, you'll see the HTTP 403 with an error message "The identity associated with the registry is inactive. This could be due to attempted removal of the identity. Reassign the identity manually". 
+
+You have to reassign the identity back to registry explicitly.
+
+1. Run the [az acr identity assign](/cli/azure/acr/identity/#az-acr-identity-assign) command to reassign the identity manually.
+
+    - For example,
+   
+    ```azurecli-interactive
+    az acr identity assign -n myRegistry \
+    --identities "/subscriptions/mysubscription/resourcegroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity"
+    ``` 
+
 ## Accidental deletion of a key vault or key
 
-Deletion of the key vault, or the key, that's used to encrypt a registry with a customer-managed key will make the registry's content inaccessible. If [soft delete](../key-vault/general/soft-delete-overview.md) is enabled in the key vault (the default option), you can recover a deleted vault or key vault object and resume registry operations.
+Deletion of the key vault, or the key, that's used to encrypt a registry with a customer-managed key makes the registry's content inaccessible. If [soft delete](../key-vault/general/soft-delete-overview.md) is enabled in the key vault (the default option), you can recover a deleted vault or key vault object and resume registry operations.
 
 ## Next steps
 
