update

msmbaldwin · msmbaldwin · commit d9c54971cbc2 · 2024-04-04T21:47:17.000-07:00
diff --git a/includes/key-vault-quickstart-rbac-cli.md b/includes/key-vault-quickstart-rbac-cli.md
@@ -0,0 +1,18 @@
+---
+author: msmbaldwin
+ms.service: key-vault
+ms.topic: include
+ms.date: 04/04/2024
+ms.author: msmbaldwin
+
+# Used by articles that show how to assign a Key Vault access policy
+
+---
+
+To grant your user account permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
+
+```azurecli
+az role assignment create --role "Key Vault Secrets User" --assignee <your-email-address> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>
+```
+
+Replace <your-email-address>, <subscription-id>, <resource-group-name>, and <your-unique-keyvault-name> with your actual values. <your-email-address> is your sign-in name.
diff --git a/includes/key-vault-quickstart-rbac-powershell.md b/includes/key-vault-quickstart-rbac-powershell.md
@@ -0,0 +1,18 @@
+---
+author: msmbaldwin
+ms.service: key-vault
+ms.topic: include
+ms.date: 04/04/2024
+ms.author: msmbaldwin
+
+# Used by articles that show how to assign a Key Vault access policy
+
+---
+
+To grant your user account permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
+
+```
+New-AzRoleAssignment -RoleDefinitionName "Key Vault Secrets User" -SignInName <your-email-address> -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
+```
+
+Replace <your-email-address>, <subscription-id>, <resource-group-name>, and <your-unique-keyvault-name> with your actual values. <your-email-address> is your sign-in name; you can instead use the `-ObjectId` parameter and a Microsoft Entra Object ID.
diff --git a/includes/key-vault-quickstart-rbac.md b/includes/key-vault-quickstart-rbac.md
@@ -0,0 +1,30 @@
+---
+author: msmbaldwin
+ms.service: key-vault
+ms.topic: include
+ms.date: 04/04/2024
+ms.author: msmbaldwin
+
+# Used by articles that show how to assign a Key Vault access policy
+
+---
+
+### [Azure CLI](#tab/azure-cli)
+
+To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create).
+
+```azurecli
+az role assignment create --role "Key Vault Secrets User" --assignee <app-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>
+```
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure PowerShell cmdlet [New-AzRoleAssignment](//powershell/module/az.keyvault/new-azRoleAssignment).
+
+```
+New-AzRoleAssignment -ObjectId <app-id> -RoleDefinitionName "Key Vault Secrets User" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
+``` 
+
+---
+
+Replace <app-id>, <subscription-id>, <resource-group-name>, and <your-unique-keyvault-name> with your actual values. <app-id> is the Application (client) ID of your registered application in Azure AD.
