Merge pull request #284719 from anthonychu/20240814-aca-kv-certs-updates

[Container Apps] Key Vault certs – remove preview and fix instructions

Author: denrea

articles/container-apps/key-vault-certificates-manage.md

@@ -5,62 +5,23 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic: how-to
-ms.date: 05/09/2024
+ms.date: 08/14/2024
 ms.author: cshoe
 ---
 
-# Import certificates from Azure Key Vault to Azure Container Apps (preview)
+# Import certificates from Azure Key Vault to Azure Container Apps
 
-You can set up Azure Key Vault to manage your container app's certificates to handle updates, renewals, and monitoring. Without Key Vault, you're left managing your certificate manually, which means you can't manage certificates in a central location and can't take advantage of lifecycle automation or notifications.
+You can set up Azure Key Vault to centrally manage your container app's TLS/SSL certificates and handle updates, renewals, and monitoring.
 
 ## Prerequisites
 
-- [Azure Key Vault](/azure/key-vault/general/manage-with-cli2): Create a Key Vault resource.
+An Azure Key Vault resource is required to store your certificate. See [Import a certificate in Azure Key Vault](/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal) or [Configure certificate auto-rotation in Key Vault](/azure/key-vault/certificates/tutorial-rotate-certificates) to create a Key Vault and add a certificate.
 
-- [Azure CLI](/cli/azure/install-azure-cli): You need the Azure CLI updated with the Azure Container Apps extension version `0.3.49` or higher. Use the `az extension add` command to install the latest version.
+## Enable managed identity for Container Apps environment
 
-    ```azurecli
-    az extension add --name containerapp --upgrade --allow-preview`
-    ```
+Azure Container Apps uses an environment level managed identity to access your Key Vault and import your certificate. To enable system-assigned managed identity, follow these steps:
 
-- [Managed identity](./managed-identity.md): Enable managed identity on your Container Apps environment.
-
-## Secret configuration
-
-An [Azure Key Vault](/azure/key-vault/general/manage-with-cli2) instance is required to store your certificate. Make the following updates to your Key Vault instance:
-
-1. Open the [Azure portal](https://portal.azure.com).
-
-1. Go to your Azure Container Apps environment.
-
-1. From *Settings*, select Access control (IAM).
-
-1. From the *Roles* tab, and set yourself as a *Key Vault Administrator*.
-
-1. Go to your certificate's details and copy the value for *Secret Identifier* and paste it into a text editor for use in an upcoming step.
-
-    > [!NOTE]
-    > To retrieve a specific version of the certificate, include the version suffix with the secret identifier. To get the latest version, remove the version suffix from the identifier.
-
-## Enable and configure Key Vault Certificate
-
-1. Open the Azure portal and go to your Key Vault.
-
-1. In the *Objects* section, select **Certificates**.
-
-1. Select the certificate you want to use.
-
-1. In the *Access control (IAM)* section, select **Add role assignment**.
-
-1. Add the roles: **Key Vault Certificates Officer** and **Key Vault Secrets Officer**.
-
-1. Go to your certificate's details and copy the value for **Secret Identifier**.
-
-1. Paste the identifier into a text editor for use in an upcoming step.
-
-## Assign roles for environment-level managed identity
-
-1. Open the [Azure portal](https://portal.azure.com) and find your instance of your Azure Container Apps environment where you want to import a certificate.
+1. Open the [Azure portal](https://portal.azure.com) and find your Azure Container Apps environment where you want to import a certificate.
 
 1. From *Settings*, select **Identity**.
 
@@ -77,46 +38,53 @@ An [Azure Key Vault](/azure/key-vault/general/manage-with-cli2) instance is requ
     | Scope | Select **Key Vault**. |
     | Subscription | Select your Azure subscription. |
     | Resource | Select your vault. |
-    | Role | Select *Key Vault Secrets User**. |
+    | Role | Select **Key Vault Secrets User**. |
 
 1. Select **Save**.
 
 For more detail on RBAC vs. legacy access policies, see [Azure role-based access control (Azure RBAC) vs. access policies](/azure/key-vault/general/rbac-access-policy).
 
-## Import a certificate
+## Import certificate from Key Vault
+
+1. Open the Azure portal and go to your Azure Container Apps environment.
+
+1. From *Settings*, select **Certificates**.
+
+1. Select the **Bring your own certificates (.pfx)** tab.
 
-Once you authorize your container app to read the vault, you can use the `az containerapp env certificate upload` command to import your vault to your Container Apps environment.
+1. Select **Add certificate**.
 
-Before you run the following command, replace the placeholder tokens surrounded by `<>` brackets with your own values.
+1. In the *Add certificate* panel, in *Source*, select **Import from Key Vault**.
+
+1. Select **Select key vault certificate** and select the following values:
+
+    | Property | Value |
+    |--|--|
+    | Subscription | Select your Azure subscription. |
+    | Key vault | Select your vault. |
+    | Certificate | Select your certificate. |
+
+    > [!NOTE]
+    > If you see an error, *"The operation "List" is not enabled in this key vault's access policy."*, you need to configure an access policy in your Key Vault to allow your user account to list certificates. For more information, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
 
-```azurecli
-az containerapp env certificate upload \
-  --resource-group <RESOURCE_GROUP> \
-  --name <CONTAINER_APP_NAME> \
-  --akv-url <KEY_VAULT_URL> \
-  --certificate-identity <CERTIFICATE_IDENTITY>
-```
+1. Select **Select**.
 
-For more information regarding the command parameters, see the following table.
+1. In the *Add certificate* panel, in *Managed identity*, select **System assigned**. If you're using a user-assigned managed identity, select your user-assigned managed identity.
 
-| Parameter | Description |
-|---|---|
-| `--resource-group` | Your resource group name. |
-| `--name` | Your container app name. |
-| `--akv-url` | The URL for your secret identifier. This URL is the value you set aside in a previous step. |
-| `--certificate-identity` | The ID for your managed identity. This value can either be `system`, or the ID for your user-assigned managed identity. |
+1. Select **Add**.
 
-## Troubleshooting
+> [!NOTE]
+> If you receive an error message, verify that the managed identity is assigned the **Key Vault Secrets User** role on the Key Vault.
 
-If you encounter an error message as you import your certificate, verify your actions using the following steps:
+## Configure a custom domain
 
-- Ensure that permissions are correctly configured for both your certificate and environment-level managed identity.
+After configuring your certificate, you can use it to secure your custom domain. Follow the steps in [Add a custom domain](custom-domains-certificates.md#add-a-custom-domain-and-certificate) and select the certificate you imported from Key Vault.
 
-  - You should assign both *Key Vault Secrets Officer* and *Key Vault Certificates Officer* roles.
+## Rotate certificates
 
-- Make sure that you're using the correct URL for accessing your certificate. You should be using the *Secret Identifier* URL.
+When you rotate your certificate in Key Vault, Azure Container Apps automatically updates the certificate in your environment. It takes up to 12 hours for the new certificate to be applied.
 
 ## Related
 
 > [!div class="nextstepaction"]
-> [Manage secrets](manage-secrets.md)
+> [Certificates in Azure Container Apps](certificates-overview.md)