Merge pull request #271282 from msmbaldwin/akv-misc

Updating RBAC articles

Author: American-Dipper

articles/key-vault/certificates/quick-create-java.md

@@ -119,11 +119,7 @@ Open the *pom.xml* file in your text editor. Add the following dependency elemen
 
 #### Grant access to your key vault
 
-Create an access policy for your key vault that grants certificate permissions to your user account.
-
-```azurecli
-az keyvault set-policy --name <your-key-vault-name> --upn [email protected] --certificate-permissions delete get list create purge
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 #### Set environment variables
 

articles/key-vault/certificates/quick-create-net.md

@@ -51,13 +51,9 @@ This quickstart is using Azure Identity library with Azure CLI to authenticate u
 
 2. Sign in with your account credentials in the browser.
 
-#### Grant access to your key vault
+### Grant access to your key vault
 
-Create an access policy for your key vault that grants certificate permissions to your user account
-
-```azurecli
-az keyvault set-policy --name <your-key-vault-name> --upn [email protected] --certificate-permissions delete get list create purge
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ### Create new .NET console app
 

articles/key-vault/certificates/quick-create-node.md

@@ -66,10 +66,8 @@ Create a Node.js application that uses your key vault.
     npm init -y
     ```
 
-
 ## Install Key Vault packages
 
-
 1. Using the terminal, install the Azure Key Vault secrets library, [@azure/keyvault-certificates](https://www.npmjs.com/package/@azure/keyvault-certificates) for Node.js.
 
     ```terminal
@@ -84,11 +82,7 @@ Create a Node.js application that uses your key vault.
 
 ## Grant access to your key vault
 
-Create a vault access policy for your key vault that grants key permissions to your user account.
-
-```azurecli
-az keyvault set-policy --name <YourKeyVaultName> --upn [email protected] --certificate-permissions delete get list create purge update
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Set environment variables
 

articles/key-vault/certificates/quick-create-powershell.md

@@ -13,7 +13,7 @@ ms.author: mbaldwin
 ---
 # Quickstart: Set and retrieve a certificate from Azure Key Vault using Azure PowerShell
 
-In this quickstart, you create a key vault in Azure Key Vault with Azure PowerShell. Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault you may review the [Overview](../general/overview.md). Azure PowerShell is used to create and manage Azure resources using commands or scripts. Once that you have completed that, you will store a certificate.
+In this quickstart, you create a key vault in Azure Key Vault with Azure PowerShell. Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, review the [Overview](../general/overview.md). Azure PowerShell is used to create and manage Azure resources using commands or scripts. Afterwards, you store a certificate.
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
@@ -34,11 +34,15 @@ Connect-AzAccount
 
 [!INCLUDE [Create a key vault](../../../includes/key-vault-powershell-kv-creation.md)]
 
+### Grant access to your key vault
+
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac-powershell.md)]
+
 ## Add a certificate to Key Vault
 
-To add a certificate to the vault, you just need to take a couple of additional steps. This certificate could be used by an application. 
+To can now add a certificate to the vault. This certificate could be used by an application.
 
-Type the commands below to create a self-signed certificate with policy called **ExampleCertificate** :
+Use these commands to create a self-signed certificate with policy called **ExampleCertificate** :
 
 ```azurepowershell-interactive
 $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal
@@ -54,8 +58,6 @@ To view previously stored certificate:
 Get-AzKeyVaultCertificate -VaultName "<your-unique-keyvault-name>" -Name "ExampleCertificate"
 ```
 
-Now, you have created a Key Vault, stored a certificate, and retrieved it.
-
 **Troubleshooting**:
 
 Operation returned an invalid status code 'Forbidden'
@@ -74,7 +76,7 @@ Set-AzKeyVaultAccessPolicy -VaultName <KeyVaultName> -ObjectId <AzureObjectID> -
 
 ## Next steps
 
-In this quickstart you created a Key Vault and stored a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
+In this quickstart, you created a Key Vault and stored a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
 
 - Read an [Overview of Azure Key Vault](../general/overview.md)
 - See the reference for the [Azure PowerShell Key Vault cmdlets](/powershell/module/az.keyvault/)

articles/key-vault/certificates/quick-create-python.md

@@ -90,21 +90,7 @@ This quickstart uses the Azure Identity library with Azure CLI or Azure PowerShe
 
 ### Grant access to your key vault
 
-Create an access policy for your key vault that grants certificate permission to your user account
-
-### [Azure CLI](#tab/azure-cli)
-
-```azurecli
-az keyvault set-policy --name <your-unique-keyvault-name> --upn [email protected] --certificate-permissions delete get list create
-```
-
-### [Azure PowerShell](#tab/azure-powershell)
-
-```azurepowershell
-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "[email protected]" -PermissionsToCertificates delete,get,list,create
-```
-
----
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Create the sample code
 

articles/key-vault/general/rbac-guide.md

@@ -6,10 +6,11 @@ author: msmbaldwin
 ms.service: key-vault
 ms.subservice: general
 ms.topic: how-to
-ms.date: 01/30/2024
+ms.date: 04/04/2024
 ms.author: mbaldwin
-ms.custom: "devx-track-azurepowershell, devx-track-azurecli"
+
 ---
+
 # Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
 
 > [!NOTE]
@@ -81,11 +82,11 @@ To add role assignments, you must have `Microsoft.Authorization/roleAssignments/
 > [!NOTE]
 > Changing permission model requires 'Microsoft.Authorization/roleAssignments/write' permission, which is part of [Owner](../../role-based-access-control/built-in-roles.md#owner) and [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) roles. Classic subscription administrator roles like 'Service Administrator' and 'Co-Administrator' are not supported.
 
-1.  Enable Azure RBAC permissions on new key vault:
+1. Enable Azure RBAC permissions on new key vault:
 
     ![Enable Azure RBAC permissions - new vault](../media/rbac/new-vault.png)
 
-2.  Enable Azure RBAC permissions on existing key vault:
+1. Enable Azure RBAC permissions on existing key vault:
 
     ![Enable Azure RBAC permissions - existing vault](../media/rbac/existing-vault.png)
 
@@ -97,9 +98,10 @@ To add role assignments, you must have `Microsoft.Authorization/roleAssignments/
 > [!Note]
 > It's recommended to use the unique role ID instead of the role name in scripts. Therefore, if a role is renamed, your scripts would continue to work. In this document role name is used only for readability.
 
-Run the following command to create a role assignment:
-
 # [Azure CLI](#tab/azure-cli)
+
+To create a role assignment using the Azure CLI, use the [az role assignment](/cli/azure/role/assignment) command:
+
 ```azurecli
 az role assignment create --role <role_name_or_id> --assignee <assignee> --scope <scope>
 ```
@@ -108,6 +110,8 @@ For full details, see [Assign Azure roles using Azure CLI](../../role-based-acce
 
 # [Azure PowerShell](#tab/azurepowershell)
 
+To create a role assignment using Azure PowerShell, use the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) cmdlet:
+
 ```azurepowershell
 #Assign by User Principal Name
 New-AzRoleAssignment -RoleDefinitionName <role_name> -SignInName <assignee_upn> -Scope <scope>
@@ -118,12 +122,16 @@ New-AzRoleAssignment -RoleDefinitionName Reader -ApplicationId <applicationId> -
 
 For full details, see [Assign Azure roles using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md).
 
----
+# [Azure portal](#tab/azure-portal)
 
 To assign roles using the Azure portal, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).  In the Azure portal, the Azure role assignments screen is available for all resources on the Access control (IAM) tab.
 
+---
+
 ### Resource group scope role assignment
 
+# [Azure portal](#tab/azure-portal)
+
 1. Go to the Resource Group that contains your key vault.
 
     ![Role assignment - resource group](../media/rbac/image-4.png)
@@ -142,7 +150,6 @@ To assign roles using the Azure portal, see [Assign Azure roles using the Azure
 
     ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
-
 # [Azure CLI](#tab/azure-cli)
 ```azurecli
 az role assignment create --role "Key Vault Reader" --assignee {i.e [email protected]} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}
@@ -167,6 +174,8 @@ Above role assignment provides ability to list key vault objects in key vault.
 
 ### Key Vault scope role assignment
 
+# [Azure portal](#tab/azure-portal)
+
 1. Go to Key Vault \> Access control (IAM) tab
 1. Select **Add** > **Add role assignment** to open the Add role assignment page.
 
@@ -180,7 +189,6 @@ Above role assignment provides ability to list key vault objects in key vault.
 
     ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
-
 # [Azure CLI](#tab/azure-cli)
 ```azurecli
 az role assignment create --role "Key Vault Secrets Officer" --assignee {i.e [email protected]} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}
@@ -207,6 +215,8 @@ For full details, see [Assign Azure roles using Azure PowerShell](../../role-bas
 > [!NOTE]
 > Key vault secret, certificate, key scope role assignments should only be used for limited scenarios described [here](rbac-guide.md?i#best-practices-for-individual-keys-secrets-and-certificates-role-assignments) to comply with security best practices.
 
+# [Azure portal](#tab/azure-portal)
+
 1. Open a previously created secret.
 
 1. Click the Access control(IAM) tab
@@ -225,8 +235,8 @@ For full details, see [Assign Azure roles using Azure PowerShell](../../role-bas
 
     ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
-
 # [Azure CLI](#tab/azure-cli)
+
 ```azurecli
 az role assignment create --role "Key Vault Secrets Officer" --assignee {i.e [email protected]} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}/secrets/RBACSecret
 ```
@@ -285,11 +295,12 @@ For full details, see [Assign Azure roles using Azure PowerShell](../../role-bas
 
       ![Secret tab - error](../media/rbac/image-13.png)
 
-### Creating custom roles 
+### Creating custom roles
 
 [az role definition create command](/cli/azure/role/definition#az-role-definition-create)
 
 # [Azure CLI](#tab/azure-cli)
+
 ```azurecli
 az role definition create --role-definition '{ \
    "Name": "Backup Keys Operator", \
@@ -306,6 +317,7 @@ az role definition create --role-definition '{ \
     "AssignableScopes": ["/subscriptions/{subscriptionId}"] \
 }'
 ```
+
 # [Azure PowerShell](#tab/azurepowershell)
 
 ```azurepowershell
@@ -330,13 +342,18 @@ $roleDefinition | Out-File role.json
 
 New-AzRoleDefinition -InputFile role.json
 ```
+
+# [Azure portal](#tab/azure-portal)
+
+See [Create or update Azure custom roles using the Azure portal](../../role-based-access-control/custom-roles-portal.md).
+
 ---
 
 For more Information about how to create custom roles, see:
 
 [Azure custom roles](../../role-based-access-control/custom-roles.md)
 
-## Frequently Asked Questions:
+## Frequently Asked Questions
 
 ### Can I use Key Vault role-based access control (RBAC) permission model object-scope assignments to provide isolation for application teams within Key Vault?
 No. RBAC permission model allows you to assign access to individual objects in Key Vault to user or application, but any administrative operations like network access control, monitoring, and objects management require vault level permissions, which will then expose secure information to operators across application teams.

articles/key-vault/keys/quick-create-java.md

@@ -115,11 +115,7 @@ Open the *pom.xml* file in your text editor. Add the following dependency elemen
 
 #### Grant access to your key vault
 
-Create an access policy for your key vault that grants key permissions to your user account.
-
-```azurecli
-az keyvault set-policy --name <your-key-vault-name> --upn [email protected] --key-permissions delete get list create purge
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 #### Set environment variables
 

articles/key-vault/keys/quick-create-net.md

@@ -53,11 +53,7 @@ This quickstart is using Azure Identity library with Azure CLI to authenticate u
 
 #### Grant access to your key vault
 
-Create an access policy for your key vault that grants key permissions to your user account
-
-```azurecli
-az keyvault set-policy --name <your-key-vault-name> --upn [email protected] --key-permissions delete get list create purge
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ### Create new .NET console app
 

articles/key-vault/keys/quick-create-node.md

@@ -83,11 +83,7 @@ Create a Node.js application that uses your key vault.
 
 ## Grant access to your key vault
 
-Create an access policy for your key vault that grants key permissions to your user account
-
-```azurecli
-az keyvault set-policy --name <YourKeyVaultName> --upn [email protected] --key-permissions delete get list create update purge
-```
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Set environment variables
 

articles/key-vault/keys/quick-create-python.md

@@ -90,21 +90,7 @@ This quickstart is using the Azure Identity library with Azure CLI or Azure Powe
 
 ### Grant access to your key vault
 
-Create an access policy for your key vault that grants key permission to your user account.
-
-### [Azure CLI](#tab/azure-cli)
-
-```azurecli
-az keyvault set-policy --name <your-unique-keyvault-name> --upn [email protected] --key-permissions get list create delete
-```
-
-### [Azure PowerShell](#tab/azure-powershell)
-
-```azurepowershell
-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "[email protected]" -PermissionsToKeys get,list,create,delete
-```
-
----
+[!INCLUDE [Using RBAC to provide access to a key vault](../../../includes/key-vault-quickstart-rbac.md)]
 
 ## Create the sample code
 
@@ -152,8 +138,7 @@ Make sure the code in the previous section is in a file named *kv_keys.py*. Then
 python kv_keys.py
 ```
 
-- If you encounter permissions errors, make sure you ran the [`az keyvault set-policy` or `Set-AzKeyVaultAccessPolicy` command](#grant-access-to-your-key-vault).
-- Rerunning the code with the same key name may produce the error, "(Conflict) Key \<name\> is currently in a deleted but recoverable state." Use a different key name.
+Rerunning the code with the same key name may produce the error, "(Conflict) Key \<name\> is currently in a deleted but recoverable state." Use a different key name.
 
 ## Code details
 
@@ -233,6 +218,6 @@ Remove-AzResourceGroup -Name myResourceGroup
 
 - [Overview of Azure Key Vault](../general/overview.md)
 - [Secure access to a key vault](../general/security-features.md)
+- [RBAC Guide](../general/rbac-guide.md)
 - [Azure Key Vault developer's guide](../general/developers-guide.md)
-- [Key Vault security overview](../general/security-features.md)
 - [Authenticate with Key Vault](../general/authentication.md)