Update use-managed-identity.md

CocoWang-wql · web-flow · commit fdac691ec1f1 · 2022-06-01T18:15:16.000+08:00
diff --git a/articles/aks/use-managed-identity.md b/articles/aks/use-managed-identity.md
@@ -2,7 +2,7 @@
 title: Use managed identities in Azure Kubernetes Service
 description: Learn how to use managed identities in Azure Kubernetes Service (AKS)
 ms.topic: article
-ms.date: 01/25/2022
+ms.date: 06/01/2022
 ---
 
 # Use managed identities in Azure Kubernetes Service
@@ -130,16 +130,19 @@ az aks show -g <RGName> -n <ClusterName> --query "identity"
 ```
 
 > [!NOTE]
-> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
+> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, CLI will perform the role assignement automatically. If you are using ARM template or other platforms, you need to use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
 >
 > Permission grants to cluster Managed Identity used by Azure Cloud provider may take up 60 minutes to populate.
 
 
-## Bring your own control plane MI
+## Bring your own (BYO) control plane MI
 A custom control plane identity enables access to be granted to the existing identity prior to cluster creation. This feature enables scenarios such as using a custom VNET or outboundType of UDR with a pre-created managed identity.
 
 You must have the Azure CLI, version 2.15.1 or later installed.
 
+> [!NOTE]
+> AKS will create a kubelet MI in the Node resource group if you do not BYO kubelet MI. 
+
 ### Limitations
 * USDOD Central, USDOD East, USGov Iowa in Azure Government aren't currently supported.
 
@@ -149,31 +152,6 @@ If you don't have a managed identity yet, you should go ahead and create one for
 az identity create --name myIdentity --resource-group myResourceGroup
 ```
 
-Assign "Managed Identity Operator" role to the identity.
-
-```azurecli-interactive
-az role assignment create --assignee <id> --role "Managed Identity Operator" --scope <id>
-
-
-The result should look like:
-
-```output
-{
-  "canDelegate": null,
-  "condition": null,
-  "conditionVersion": null,
-  "description": null,
-  "id": "/subscriptions/<subscriptionid>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
-  "name": "myIdentity,
-  "principalId": "<principalId>",
-  "principalType": "ServicePrincipal",
-  "resourceGroup": "myResourceGroup",
-  "roleDefinitionId": "/subscriptions/<subscriptionid>/providers/Microsoft.Authorization/roleDefinitions/<definitionid>",
-  "scope": "<resourceid>",
-  "type": "Microsoft.Authorization/roleAssignments"
-}
-```
-
 If your managed identity is part of your subscription, you can use [az identity CLI command][az-identity-list] to query it.  
 
 ```azurecli-interactive
@@ -211,13 +189,18 @@ A successful cluster creation using your own managed identities contains this us
  },
 ```
 
-## Bring your own kubelet MI
+## Bring your own (BYO) kubelet MI
 
 A Kubelet identity enables access to be granted to the existing identity prior to cluster creation. This feature enables scenarios such as connection to ACR with a pre-created managed identity.
 
 > [!WARNING]
 > Updating kubelet MI will upgrade Nodepool, which causes downtime for your AKS cluster as the nodes in the nodepools will be cordoned/drained and then reimaged.
 
+
+> [!NOTE]
+> For BYO kubelet MI, only CLI integrates role assignment for control plane MI. If you are using ARM template or other platforms, you need to excute `az role assignment create --assignee <id> --role "Managed Identity Operator" --scope <id>` to assign "Managed Identity Operator" role to the identity
+
+
 ### Prerequisites
 
 - You must have the Azure CLI, version 2.26.0 or later installed.
@@ -252,6 +235,7 @@ The result should look like:
 }
 ```
 
+
 If you don't have a kubelet managed identity yet, you should go ahead and create one. The following example uses the [az identity create][az-identity-create] command:
 
 ```azurecli-interactive
