Merge pull request #230853 from MGoedtel/task55254b

Refresh Workload Identity content

Author: v-stsavell

articles/aks/workload-identity-deploy-cluster.md

@@ -3,7 +3,7 @@ title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workl
 description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity (preview).
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 01/11/2023
+ms.date: 03/14/2023
 ---
 
 # Deploy and configure workload identity (preview) on an Azure Kubernetes Service (AKS) cluster
@@ -66,7 +66,7 @@ Create an AKS cluster using the [az aks create][az-aks-create] command with the
 ```azurecli-interactive
 az group create --name myResourceGroup --location eastus
 
-az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys
+az aks create -g myResourceGroup -n myAKSCluster --enable-oidc-issuer --enable-workload-identity
 ```
 
 After a few minutes, the command completes and returns JSON-formatted information about the cluster.
@@ -80,38 +80,18 @@ To get the OIDC Issuer URL and save it to an environmental variable, run the fol
 export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"
 ```
 
-## Create a managed identity and grant permissions to access Azure Key Vault
+## Create a managed identity
 
-This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].
-
-Before proceeding, you need the following information:
-
-* Name of the Key Vault
-* Resource group holding the Key Vault
+Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.
 
-You can retrieve this information using the Azure CLI command: [az keyvault list][az-keyvault-list].
-
-1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.
-
-    ```azurecli
-    export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
-    export RG_NAME="myResourceGroup"
-    export LOCATION="eastus"
-
-    az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --location "${LOCATION}" --subscription "${SUBSCRIPTION_ID}"
-    ```
-
-2. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
-
-    ```azurecli
-    export RG_NAME="myResourceGroup"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
-    export KEYVAULT_NAME="myKeyVault"
-    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RG_NAME}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+```azurecli
+export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
+export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+export RG_NAME="myResourceGroup"
+export LOCATION="eastus"
 
-    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
-    ```
+az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --location "${LOCATION}" --subscription "${SUBSCRIPTION_ID}"
+```
 
 ## Create Kubernetes service account
 
@@ -166,6 +146,28 @@ az identity federated-credential create --name myfederatedIdentity --identity-na
 kubectl apply -f <your application>
 ```
 
+## Optional - Grant permissions to access Azure Key Vault
+
+This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].
+
+Before proceeding, you need the following information:
+
+* Name of the Key Vault
+* Resource group holding the Key Vault
+
+You can retrieve this information using the Azure CLI command: [az keyvault list][az-keyvault-list].
+
+1. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
+
+    ```azurecli
+    export RG_NAME="myResourceGroup"
+    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export KEYVAULT_NAME="myKeyVault"
+    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RG_NAME}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+
+    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
+    ```
+
 ## Disable workload identity
 
 To disable the Azure AD workload identity on the AKS cluster where it's been enabled and configured, you can run the following command:

articles/aks/workload-identity-migrate-from-pod-identity.md

@@ -1,14 +1,14 @@
 ---
-title: Modernize your Azure Kubernetes Service (AKS) application to use workload identity (preview)
+title: Migrate your Azure Kubernetes Service (AKS) pod to use workload identity (preview)
 description: In this Azure Kubernetes Service (AKS) article, you learn how to configure your Azure Kubernetes Service pod to authenticate with workload identity.
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 02/08/2023
+ms.date: 03/14/2023
 ---
 
-# Modernize application authentication with workload identity (preview)
+# Migrate from pod managed-identity to workload identity (preview)
 
-This article focuses on pod-managed identity migration to Azure Active Directory (Azure AD) workload identity (preview) for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
+This article focuses on migrating from a pod-managed identity to Azure Active Directory (Azure AD) workload identity (preview) for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
 
 [!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
 
@@ -30,10 +30,10 @@ For either scenario, you need to have the federated trust set up before you upda
 
 If your cluster is already using the latest version of the Azure Identity SDK, perform the following steps to complete the authentication configuration:
 
-- Deploy workload identity in parallel to where the trust is setup. You can restart your application deployment to begin using the workload identity, where it injects the OIDC annotations into the application automatically.
+- Deploy workload identity in parallel with pod-managed identity. You can restart your application deployment to begin using the workload identity, where it injects the OIDC annotations into the application automatically.
 - After verifying the application is able to authenticate successfully, you can [remove the pod-managed identity](#remove-pod-managed-identity) annotations from your application and then remove the pod-managed identity add-on.
 
-## Migrate from older version
+### Migrate from older version
 
 If your cluster isn't using the latest version of the Azure Identity SDK, you have two options:
 
@@ -65,7 +65,7 @@ If you don't have a managed identity created and assigned to your pod, perform t
     export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"
     ```
 
-2. Grant the managed identity the permissions required to access the resources in Azure it requires.
+2. Grant the managed identity the permissions required to access the resources in Azure it requires. For information on how to do this, see [Assign a managed identity access to a resource][assign-rbac-managed-identity].
 
 3. To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default values for the cluster name and the resource group name.
 
@@ -208,6 +208,7 @@ This article showed you how to set up your pod to authenticate using a workload
 [azure-identity-libraries]: ../active-directory/develop/reference-v2-libraries.md
 [openid-connect-overview]: ../active-directory/develop/v2-protocols-oidc.md
 [install-azure-cli]: /cli/azure/install-azure-cli
+[assign-rbac-managed-identity]: ../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
 
 <!-- EXTERNAL LINKS -->
 [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

articles/aks/workload-identity-overview.md

@@ -2,7 +2,7 @@
 title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service (AKS)
 description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.  
 ms.topic: article
-ms.date: 01/06/2023
+ms.date: 03/14/2023
 
 ---