[ACR] RBAC UI updates

Author: dlepow

articles/container-registry/container-registry-content-trust.md

@@ -1,8 +1,9 @@
 ---
 title: Manage signed images
 description: Learn how to enable content trust for your Azure container registry, and push and pull signed images. Content trust implements Docker content trust and is a feature of the Premium service tier.
-ms.topic: article
-ms.date: 09/18/2020
+ms.topic: how-to
+ms.date: 06/25/2021
+ms.custom: subject-rbac-steps
 ---
 # Content trust in Azure Container Registry
 
@@ -74,11 +75,19 @@ Details for granting the `AcrImageSigner` role in the Azure portal and the Azure
 
 ### Azure portal
 
-Navigate to your registry in the Azure portal, then select **Access control (IAM)** > **Add role assignment**. Under **Add role assignment**, select `AcrImageSigner` under **Role**, then **Select** one or more users or service principals, then **Save**.
+1. Select **Access control (IAM)**.
 
-In this example, two entities have been assigned the `AcrImageSigner` role: a service principal named "service-principal", and a user named "Azure User."
+1. Select **Add** > **Add role assignment** to open the Add role assignment page.
 
-![Grant ACR image signing permissions in the Azure portal][content-trust-02-portal]
+1. Assign the following role. In this example, the role is assigned to an individual user. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+    
+    | Setting | Value |
+    | --- | --- |
+    | Role | AcrImageSigner |
+    | Assign access to | User |
+    | Members | Alain |
+
+    ![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
 
 ### Azure CLI
 

articles/container-registry/container-registry-customer-managed-keys.md

@@ -2,8 +2,8 @@
 title: Encrypt registry with a customer-managed key
 description: Learn about encryption-at-rest of your Azure container registry, and how to encrypt your Premium registry with a customer-managed key stored in Azure Key Vault
 ms.topic: article
-ms.date: 05/27/2021
-ms.custom:
+ms.date: 06/25/2021
+ms.custom: subject-rbac-steps
 ---
 
 # Encrypt registry using a customer-managed key
@@ -112,15 +112,19 @@ keyvaultID=$(az keyvault show --resource-group <resource-group-name> --name <key
 
 ### Enable key vault access
 
-Configure a policy for the key vault so that the identity can access it. In the following [az keyvault set-policy][az-keyvault-set-policy] command, you pass the principal ID of the managed identity that you created, stored previously in an environment variable. Set key permissions to **get**, **unwrapKey**, and **wrapKey**.  
+#### Enable key vault access policy
+
+One option is to configure a policy for the key vault so that the identity can access it. In the following [az keyvault set-policy][az-keyvault-set-policy] command, you pass the principal ID of the managed identity that you created, stored previously in an environment variable. Set key permissions to **get**, **unwrapKey**, and **wrapKey**.  
 
 ```azurecli
 az keyvault set-policy \
   --resource-group <resource-group-name> \
   --name <key-vault-name> \
   --object-id $identityPrincipalID \
   --key-permissions get unwrapKey wrapKey
+
 ```
+#### Assign RBAC role
 
 Alternatively, use [Azure RBAC for Key Vault](../key-vault/general/rbac-guide.md) to assign permissions to the identity to access the key vault. For example, assign the Key Vault Crypto Service Encryption role to the identity using the [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) command:
 
@@ -252,7 +256,9 @@ When creating a key vault for a customer-managed key, in the **Basics** tab, ena
 
 ### Enable key vault access
 
-Configure a policy for the key vault so that the identity can access it.
+#### Enable key vault access policy
+
+One option is to configure a policy for the key vault so that the identity can access it.
 
 1. Navigate to your key vault.
 1. Select **Settings** > **Access policies > +Add Access Policy**.
@@ -262,14 +268,11 @@ Configure a policy for the key vault so that the identity can access it.
 
 :::image type="content" source="media/container-registry-customer-managed-keys/add-key-vault-access-policy.png" alt-text="Create key vault access policy":::
 
-Alternatively, use [Azure RBAC for Key Vault](../key-vault/general/rbac-guide.md) to assign permissions to the identity to access the key vault. For example, assign the Key Vault Crypto Service Encryption role to the identity.
+#### Assign RBAC role
 
-1. Navigate to your key vault.
-1. Select **Access control (IAM)** > **+Add** > **Add role assignment**.
-1. In the **Add role assignment** window:
-    1. Select **Key Vault Crypto Service Encryption User** role. 
-    1. Assign access to **User assigned managed identity**.
-    1. Select the resource name of your user-assigned managed identity, and select **Save**.
+Alternatively, assign the Key Vault Crypto Service Encryption User role to the user-assigned managed identity at the key vault scope.
+
+For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
 
 ### Create key (optional)