Merge pull request #208452 from aahill/kv-article

key vault article

Author: v-regandowner

articles/cognitive-services/TOC.yml

@@ -81,6 +81,8 @@
       href: ./encryption/cognitive-services-encryption-keys-portal.md
     - name: Use virtual networks
       href: cognitive-services-virtual-networks.md
+    - name: Use Azure key vault
+      href: use-key-vault.md
     - name: Configure data loss prevention
       href: cognitive-services-data-loss-prevention.md
     - name: Security baseline

articles/cognitive-services/authentication.md

@@ -7,7 +7,7 @@ author: PatrickFarley
 manager: nitinme
 ms.service: cognitive-services
 ms.topic: how-to
-ms.date: 07/22/2021
+ms.date: 09/01/2022
 ms.author: pafarley
 ---
 
@@ -177,6 +177,12 @@ curl -X POST 'https://api.cognitive.microsofttranslator.com/translate?api-versio
 
 [!INCLUDE [](../../includes/cognitive-services-azure-active-directory-authentication.md)]
 
+## Use Azure key vault to securely access credentials
+
+You can [use Azure Key Vault](./use-key-vault.md) to securely develop Cognitive Services applications. Key Vault enables you to store your authentication credentials in the cloud, and reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application.
+
+Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
+
 ## See also
 
 * [What is Cognitive Services?](./what-are-cognitive-services.md)

articles/cognitive-services/includes/key-vault-cli-authentication.md

@@ -0,0 +1,64 @@
+---
+title: include file
+description: include file
+services: cognitive-services
+author: aahill
+ms.service: cognitive-services
+ms.topic: include
+ms.date: 08/25/2022
+ms.author: aahi
+ms.manager: nitinme
+ms.custom: include
+---
+
+Before you can grant access to your key vault, you must authenticate with your Azure Active Directory user name and password. 
+
+# [Azure CLI](#tab/azure-cli)
+
+To authenticate with the [Azure CLI](/cli/azure), run the `az login` command. 
+
+```azurecli-interactive
+az login
+```
+
+On systems with a default web browser, the Azure CLI will launch the browser to authenticate. For systems without a default web browser, the `az login` command will use the device code authentication flow. You can also force the Azure CLI to use the device code flow rather than launching a browser by specifying the `--use-device-code` argument.
+
+If you have multiple subscriptions, make sure to [select the Azure subscription](/cli/azure/manage-azure-subscriptions-azure-cli#change-the-active-subscription) that contains your key vault.
+
+# [PowerShell](#tab/powershell)
+
+You can also use [Azure PowerShell](/powershell/azure) to authenticate. Applications using the `DefaultAzureCredential` or the `AzurePowerShellCredential` can then use this account to authenticate calls in their application when running locally.
+
+To authenticate with Azure PowerShell, run the `Connect-AzAccount` command. If you're running on a system with a default web browser and Azure PowerShell `v5.0.0` or later, it will launch the browser to authenticate the user.
+
+For systems without a default web browser, the `Connect-AzAccount` command will use the device code authentication flow. You can also force Azure PowerShell to use the device code flow rather than launching a browser by specifying the `UseDeviceAuthentication` argument.
+
+```powershell
+Connect-AzAccount
+```
+
+If you have multiple subscriptions, make sure to [select the Azure subscription](/powershell/azure/manage-subscriptions-azureps) that contains your key vault.
+
+---
+
+## Grant access to your key vault
+
+Create an access policy for your key vault that grants secret permissions to your user account.
+
+# [Azure CLI](#tab/azure-cli)
+
+To set the access policy, run the [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy) command. Replace `Your-Key-Vault-Name` with the name of your key vault. Replace `[email protected]` with your Azure Active Directory user name.
+
+```azurecli-interactive
+az keyvault set-policy --name Your-Key-Vault-Name --upn [email protected] --secret-permissions delete get list set purge
+```
+
+# [PowerShell](#tab/powershell)
+
+To set the access policy, run the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.accounts/set-azcontext) command. Replace `Your-Key-Vault-Name` with the name of your key vault. Replace `[email protected]` with your Azure Active Directory user name.
+
+```powershell
+Set-AzKeyVaultAccessPolicy -VaultName 'Your-Key-Vault-Name' -UserPrincipalName '[email protected]' -PermissionsToSecrets delete,get,list,set,purge -PassThru
+```
+
+---