Update use-managed-identity.md

CocoWang-wql · web-flow · commit bb3ce894a61a · 2022-06-01T19:28:24.000+08:00
diff --git a/articles/aks/use-managed-identity.md b/articles/aks/use-managed-identity.md
@@ -17,6 +17,9 @@ You must have the following resource installed:
 
 - The Azure CLI, version 2.23.0 or later
 
+> [!NOTE]
+> AKS will create a kubelet MI in the Node resource group if you do not BYO kubelet MI. 
+
 ## Limitations
 
 * Tenants move / migrate of managed identity enabled clusters isn't supported.
@@ -130,7 +133,7 @@ az aks show -g <RGName> -n <ClusterName> --query "identity"
 ```
 
 > [!NOTE]
-> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, CLI will perform the role assignement automatically. If you are using ARM template or other platforms, you need to use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
+> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, CLI will add the role assignement automatically. If you are using ARM template or other clients, you need to use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
 >
 > Permission grants to cluster Managed Identity used by Azure Cloud provider may take up 60 minutes to populate.
 
@@ -140,9 +143,6 @@ A custom control plane identity enables access to be granted to the existing ide
 
 You must have the Azure CLI, version 2.15.1 or later installed.
 
-> [!NOTE]
-> AKS will create a kubelet MI in the Node resource group if you do not BYO kubelet MI. 
-
 ### Limitations
 * USDOD Central, USDOD East, USGov Iowa in Azure Government aren't currently supported.
 
@@ -198,8 +198,7 @@ A Kubelet identity enables access to be granted to the existing identity prior t
 
 
 > [!NOTE]
-> For BYO kubelet MI, only CLI integrates role assignment for control plane MI. If you are using ARM template or other platforms, you need to excute `az role assignment create --assignee <id> --role "Managed Identity Operator" --scope <id>` to assign "Managed Identity Operator" role to the identity
-
+> For BYO kubelet MI,Azure CLI will automatically add required role assignment for control plane MI. If you are using ARM template or other clients, you need to create the role assignment manually. It can be done using CLI command 'az role assignment create --assignee <control-plane-identity-object-id> --role "Managed Identity Operator" --scope <kubelet-identity-resource-id>'
 
 ### Prerequisites
 
@@ -266,7 +265,7 @@ az identity list --query "[].{Name:name, Id:id, Location:location}" -o table
 
 ### Create a cluster using kubelet identity
 
-Now you can use the following command to create your cluster with your existing identities. Provide the control plane identity id via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
+Now you can use the following command to create your cluster with your existing identities. Provide the control plane identity resource ID via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
 
 ```azurecli-interactive
 az aks create \
@@ -278,8 +277,8 @@ az aks create \
     --dns-service-ip 10.2.0.10 \
     --service-cidr 10.2.0.0/24 \
     --enable-managed-identity \
-    --assign-identity <identity-id> \
-    --assign-kubelet-identity <kubelet-identity-id>
+    --assign-identity <identity-resource-id> \
+    --assign-kubelet-identity <kubelet-identity-resource-id>
 ```
 
 A successful cluster creation using your own kubelet managed identity contains the following output:
@@ -320,15 +319,15 @@ az upgrade
 ```
 #### Updating your cluster with kubelet identity 
 
-Now you can use the following command to update your cluster with your existing identities. Provide the control plane identity id via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
+Now you can use the following command to update your cluster with your existing identities. Provide the control plane identity resource ID via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
 
 ```azurecli-interactive
 az aks update \
     --resource-group myResourceGroup \
     --name myManagedCluster \
     --enable-managed-identity \
-    --assign-identity <identity-id> \
-    --assign-kubelet-identity <kubelet-identity-id>
+    --assign-identity <identity-resource-id> \
+    --assign-kubelet-identity <kubelet-identity-resource-id>
 ```
 
 A successful cluster update using your own kubelet managed identity contains the following output:
