Merge pull request #207675 from Gordonby/gb-akskms

PRMerger9 · web-flow · commit f0b42fdc3079 · 2022-08-11T05:25:00.000-07:00
AKS KMS Plugin - RBAC enabled Key Vault
diff --git a/articles/aks/use-kms-etcd-encryption.md b/articles/aks/use-kms-etcd-encryption.md
@@ -48,6 +48,8 @@ KMS supports [public key vault][Enable-KMS-with-public-key-vault] and [private k
 > 
 > If you need to recover your Key Vault or key, see the [Azure Key Vault recovery management with soft delete and purge protection](../key-vault/general/key-vault-recovery.md?tabs=azure-cli) documentation.
 
+#### For non-RBAC key vault
+
 Use `az keyvault create` to create a KeyVault.
 
 ```azurecli
@@ -67,6 +69,35 @@ export KEY_ID=$(az keyvault key show --name MyKeyName --vault-name MyKeyVault --
 echo $KEY_ID
 ```
 
+The above example stores the Key ID in *KEY_ID*.
+
+#### For RBAC key vault
+
+Use `az keyvault create` to create a KeyVault using Azure Role Based Access Control.
+
+```azurecli
+export KEYVAULT_RESOURCE_ID=$(az keyvault create --name MyKeyVault --resource-group MyResourceGroup  --enable-rbac-authorization true --query id -o tsv)
+```
+
+Assign yourself permission to create a key.
+
+```azurecli-interactive
+az role assignment create --role "Key Vault Crypto Officer" --assignee-object-id $(az ad signed-in-user show --query id --out tsv) --assignee-principal-type "User" --scope $KEYVAULT_RESOURCE_ID
+```
+
+Use `az keyvault key create` to create a key.
+
+```azurecli
+az keyvault key create --name MyKeyName --vault-name MyKeyVault
+```
+
+Use `az keyvault key show` to export the Key ID.
+
+```azurecli
+export KEY_ID=$(az keyvault key show --name MyKeyName --vault-name MyKeyVault --query 'key.kid' -o tsv)
+echo $KEY_ID
+```
+
 The above example stores the Key ID in *KEY_ID*.
  
 ### Create a user-assigned managed identity
@@ -107,7 +138,7 @@ az keyvault set-policy -n MyKeyVault --key-permissions decrypt encrypt --object-
 
 #### For RBAC key vault
 
-If your key vault is enabled with `--enable-rbac-authorization`, you need to assign the "Key Vault Administrator" RBAC role which has decrypt, encrypt permission. 
+If your key vault is enabled with `--enable-rbac-authorization`, you need to assign the "Key Vault Crypto User" RBAC role which has decrypt, encrypt permission. 
 
 ```azurecli-interactive
 az role assignment create --role "Key Vault Crypto User" --assignee-object-id $IDENTITY_OBJECT_ID --assignee-principal-type "ServicePrincipal" --scope $KEYVAULT_RESOURCE_ID
