updates from PM review

craigshoemaker · craigshoemaker · commit e6baec77dd5f · 2024-05-09T12:32:59.000-06:00
diff --git a/articles/container-apps/key-vault-certificates-manage.md b/articles/container-apps/key-vault-certificates-manage.md
@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 05/08/2024
+ms.date: 05/09/2024
 ms.author: cshoe
 ---
 
@@ -58,6 +58,31 @@ An [Azure Key Vault](/azure/key-vault/general/manage-with-cli2) instance is requ
 
 1. Paste the identifier into a text editor for use in an upcoming step.
 
+## Assign roles for environment-level managed identity
+
+1. Open the [Azure portal](https://portal.azure.com) and find your instance of your Azure Container Apps environment where you want to import a certificate.
+
+1. From *Settings*, select **Identity**.
+
+1. On the *System assigned* tab, find the *Status* switch and select **On**.
+
+1. Select **Save**, and when the *Enable system assigned managed identity* window appears, select **Yes**.
+
+1. Under the *Permissions* label, select **Azure role assignments** to open the role assignments window.
+
+1. Select **Add role assignment** and enter the following values:
+
+    | Property | Value |
+    |--|--|
+    | Scope | Select **Key Vault**. |
+    | Subscription | Select your Azure subscription. |
+    | Resource | Select your vault. |
+    | Role | Select *Key Vault Secrets User**. |
+
+1. Select **Save**.
+
+For more detail on RBAC vs. legacy access policies, see [Azure role-based access control (Azure RBAC) vs. access policies](/azure/key-vault/general/rbac-access-policy).
+
 ## Import a certificate
 
 Once you authorize your container app to read the vault, you can use the `az containerapp env certificate upload` command to import your vault to your Container Apps environment.
@@ -68,10 +93,29 @@ Before you run the following command, replace the placeholder tokens surrounded
 az containerapp env certificate upload \
   --resource-group <RESOURCE_GROUP> \
   --name <CONTAINER_APP_NAME> \
-  --akv-url <KEY_VAULT_URL>
+  --akv-url <KEY_VAULT_URL> \
   --certificate-identity <CERTIFICATE_IDENTITY>
 ```
 
+For more information regarding the command parameters, see the following table.
+
+| Parameter | Description |
+|---|---|
+| `--resource-group` | Your resource group name. |
+| `--name` | Your container app name. |
+| `--akv-url` | The URL for your secret identifier. This URL is the value you set aside in a previous step. |
+| `--certificate-identity` | The ID for your managed identity. This value can either be `system`, or the ID for your user-assigned managed identity. |
+
+## Troubleshooting
+
+If you encounter an error message as you import your certificate, verify your actions using the following steps:
+
+- Ensure that permissions are correctly configured for both your certificate and environment-level managed identity.
+
+  - You should assign both *Key Vault Secrets Officer* and *Key Vault Certificates Officer* roles.
+
+- Make sure that you're using the correct URL for accessing your certificate. You should be using the *Secret Identifier* URL.
+
 ## Related
 
 > [!div class="nextstepaction"]
