Split the usage doc from the overview

Author: yhyakuna

website/content/docs/secrets/key-management/azurekeyvault/index.mdx

@@ -0,0 +1,61 @@
+---
+layout: docs
+page_title: Azure Key Vault - Key Management - Secrets Engines
+description: Key management secrets engine supports lifecycle management of keys in Azure Key Vault instances.
+---
+
+# Azure Key Vault
+
+The key management secrets engine supports lifecycle management of keys in named
+[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/) instances.
+This is accomplished by configuring a KMS provider resource with the `azurekeyvault`
+provider and other provider-specific parameter values.
+
+The following sections describe how to properly configure the secrets engine to enable
+the functionality.
+
+Refer to the [setup guide](/vault/docs/secrets/key-management/azurekeyvault/setup) for CLI command examples.
+
+## Authentication
+
+You need to configure the key management secrets engine with credentials that have sufficient
+permissions to manage keys in an Azure Key Vault instance. The [credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials) section of the API documentation describes the authentication parameters. The authentication parameters will be set with the following order
+of precedence:
+
+1. Environment variables
+2. [KMS provider credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials)
+3. [Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
+
+If the client ID or secret are not provided and Vault is running on an Azure VM, Vault will attempt
+to use MSI to access Azure. Note that when MSI is used, the tenant ID must still be explicitly provided by the configuration or environment variable.
+
+An Azure Key Vault [access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal) determines whether a given service principal, namely an application or user group, can perform certain operations on a Key Vault instance. The service principal associated with the provided credentials must have an access policy on the Key Vault instance with the following minimum key permissions:
+
+- `create`
+- `delete`
+- `get`
+- `import`
+- `update`
+
+<Tip title="Use Terraform">
+
+If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure. Refer to the [Terraform example](/vault/docs/secrets/key-management/azurekeyvault/setup#terraform-example) section.
+
+</Tip>
+
+## Key transfer specification
+
+Keys are securely transferred from the secrets engine to Azure key vault instances in accordance
+with the Azure [Bring Your Own Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification)
+specification.
+
+## Key purpose compatibility
+
+The following table defines which key [purposes](/vault/api-docs/secret/key-management#purpose) can be used
+for each key type supported by Azure Key Vault KMS.
+
+| Key Type       | Purpose                                                 |
+| -------------- | ------------------------------------------------------- |
+| `rsa-2048`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
+| `rsa-3072`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
+| `rsa-4096`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |

website/content/docs/secrets/key-management/azurekeyvault.mdx website/content/docs/secrets/key-management/azurekeyvault/setup.mdx

@@ -1,50 +1,17 @@
 ---
 layout: docs
-page_title: Azure Key Vault - Key Management - Secrets Engines
-description: Azure Key Vault is a supported KMS provider of the Key Management secrets engine.
+page_title: Azure Key Vault setup guide
+description: Configure the key management secrets engine, and distribute the Vault-managed keys to the target Azure Key Vault instance.
 ---
 
-# Azure key Vault
-
-The Key Management secrets engine supports lifecycle management of keys in named
-[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/) instances.
-This is accomplished by configuring a KMS provider resource with the `azurekeyvault`
-provider and other provider-specific parameter values.
-
-The following sections describe how to properly configure the secrets engine to enable
-the functionality.
-
-## Authentication
-
-You need to configure the Key Management secrets engine with credentials that have sufficient
-permissions to manage keys in an Azure Key Vault instance. The [credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials) section of the API documentation describes the authentication parameters. The authentication parameters will be set with the following order
-of precedence:
-
-1. Environment variables
-2. [KMS provider credentials](/vault/api-docs/secret/key-management/azurekeyvault#credentials)
-3. [Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview)
-
-If the client ID or secret are not provided and Vault is running on an Azure VM, Vault will attempt
-to use MSI to access Azure. Note that when MSI is used, the tenant ID must still be explicitly provided by the configuration or environment variable.
-
-An Azure Key Vault [access policy](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal) determines whether a given service principal, namely an application or user group, can perform certain operations on a Key Vault instance. The service principal associated with the provided credentials must have an access policy on the Key Vault instance with the following minimum key permissions:
-
-- `create`
-- `delete`
-- `get`
-- `import`
-- `update`
-
-<Tip title="Use Terraform">
-
-If you are familiar with Terraform, you can use it to deploy the necessary Azure infrastructure. Refer to the [Terraform example](#terraform-example) section.
-
-</Tip>
+# Setup guide - Azure Key Vault
 
+To manage the lifecycle of the Azure Key Vault keys, you need to setup the
+key management secrets engine using `azurekeyvault` provider.
 
 ## Setup
 
-1. Enable the secrets engine.
+1. Enable the key management secrets engine.
 
     ```shell-session
     $ vault secrets enable keymgmt
@@ -64,47 +31,70 @@ If you are familiar with Terraform, you can use it to deploy the necessary Azure
 
     The command specified the following:
 
-    - The full path to this KMS provider instance in Vault (`keymgmt/kms/example-kms`).
-    - A key collection, which corresponds to the name of the key vault instance in Azure.
+    - The full path to this KMS provider instance in Vault
+      (`keymgmt/kms/example-kms`).
+    - A key collection, which corresponds to the name of the key vault instance
+      in Azure.
     - The KMS provider is set to `azurekeyvault`.
-    - Azure client ID credential, that can also be specified with `AZURE_CLIENT_ID` environment variable.
-    - Azure client secret credential, that can also be specified with `AZURE_CLIENT_SECRET `environment variable.
-    - Azure tenant ID credential, that can also be specified with `AZURE_TENANT_ID` environment variable.
+    - Azure client ID credential, that can also be specified with
+      `AZURE_CLIENT_ID` environment variable.
+    - Azure client secret credential, that can also be specified with
+      `AZURE_CLIENT_SECRET `environment variable.
+    - Azure tenant ID credential, that can also be specified with
+      `AZURE_TENANT_ID` environment variable.
 
 <Tip title="API documentation">
 
-Refer to the Azure Key Vault [API documentation](/vault/api-docs/secret/key-management/azurekeyvault) for a detailed description of individual configuration parameters.
+Refer to the Azure Key Vault [API
+documentation](/vault/api-docs/secret/key-management/azurekeyvault) for a
+detailed description of individual configuration parameters.
 
 </Tip>
 
 ## Usage 
 
-1. Write a pair of RSA-2048 keys to the secrets engine. The following command will write a new key of type **rsa-2048** to the path `keymgmt/key/rsa-1`. 
+1. Write a pair of RSA-2048 keys to the secrets engine. The following command
+   will write a new key of type **rsa-2048** to the path `keymgmt/key/rsa-1`. 
 
     ```shell-session
     $ vault write keymgmt/key/rsa-1 type="rsa-2048"
     Success! Data written to: keymgmt/key/rsa-1
     ```
 
-    The Key Management secrets engine currently supports generation of the key types specified in [Key Types](/vault/docs/secrets/key-management#key-types).
+    The key management secrets engine currently supports generation of the key
+    types specified in [Key
+    Types](/vault/docs/secrets/key-management#key-types).
 
-    Based on the [Compatibility](/vault/docs/secrets/key-management#compatibility) section of the documentation, Azure Key Vault currently supports use of RSA-2048, RSA-3072, and RSA-4096 key types.
+    Based on the
+    [Compatibility](/vault/docs/secrets/key-management#compatibility) section of
+    the documentation, Azure Key Vault currently supports use of RSA-2048,
+    RSA-3072, and RSA-4096 key types.
 
-1. Read the **rsa-1** key you created. Use JSON as the output and pipe that into `jq`.
+1. Read the **rsa-1** key you created. Use JSON as the output and pipe that into
+   `jq`.
 
     ```shell-session
     $ vault read -format=json keymgmt/key/rsa-1 | jq
     ```
 
-1. To use the keys you wrote, you must distribute them to the key vault. Distribute the **rsa-1** key to the key vault at the path `keymgmt/kms/example-kms/key/rsa-1`.
+1. To use the keys you wrote, you must distribute them to the key vault.
+   Distribute the **rsa-1** key to the key vault at the path
+   `keymgmt/kms/example-kms/key/rsa-1`.
 
     ```shell-session
     $ vault write keymgmt/kms/example-kms/key/rsa-1 \
         purpose="encrypt,decrypt" \
         protection="hsm"
     ```
 
-    Here you are instructing Vault to distribute the key and specify that its purpose is only to encrypt and decrypt. The protection type is dependent on the cloud provider and the value is either `hsm` or `software`. In the case of Azure, you specify `hsm` for the protection type. The key will be securely delivered to the key vault instance according to the [Azure Bring Your Own Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification) (BYOK) specification.
+    Here you are instructing Vault to distribute the key and specify that its
+    purpose is only to encrypt and decrypt. The protection type is dependent on
+    the cloud provider and the value is either `hsm` or `software`. In the case
+    of Azure, you specify `hsm` for the protection type. The key will be
+    securely delivered to the key vault instance according to the [Azure Bring
+    Your Own
+    Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification)
+    (BYOK) specification.
 
 1. You can list the keys that have been distributed to the Azure Key Vault instance.
 
@@ -122,44 +112,33 @@ Refer to the Azure Key Vault [API documentation](/vault/api-docs/secret/key-mana
     Success! Data written to: keymgmt/key/rsa-1/rotate
     ```
 
-1. Confirm successful key rotation by reading the key, and getting the value of `.data.latest_version`.
+1. Confirm successful key rotation by reading the key, and getting the value of
+   `.data.latest_version`.
 
     ```shell-session
     $  vault read -format=json keymgmt/key/rsa-1 | jq '.data.latest_version'
     2
     ```
 
-## Key transfer specification
-
-Keys are securely transferred from the secrets engine to Azure key vault instances in accordance
-with the Azure [Bring Your Own Key](https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification)
-specification.
-
-## Key purpose compatibility
-
-The following table defines which key [purposes](/vault/api-docs/secret/key-management#purpose) can be used
-for each key type supported by Azure Key Vault KMS.
-
-| Key Type       | Purpose                                                 |
-| -------------- | ------------------------------------------------------- |
-| `rsa-2048`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
-| `rsa-3072`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
-| `rsa-4096`     | [All purposes](/vault/api-docs/secret/key-management#purpose) |
-
 ## Azure private link
 
-The secrets engine can be configured to communicate with Azure Key Vault instances
-using [Azure Private Endpoints](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview).
-Follow the guide at [Integrate Key Vault with Azure Private Link](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal)
-to set up a Private Endpoint for your target Key Vault instance in Azure. The Private Endpoint must
-be network reachable by Vault. This means Vault needs to be running in the same virtual network or
-a peered virtual network to properly resolve the Key Vault domain name to the Private Endpoint IP
-address.
-
-The Private Endpoint configuration relies on a correct [Azure Private DNS](https://docs.microsoft.com/en-us/azure/dns/private-dns-overview)
+The secrets engine can be configured to communicate with Azure Key Vault
+instances using [Azure Private
+Endpoints](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview).
+Follow the guide at [Integrate Key Vault with Azure Private
+Link](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal)
+to set up a Private Endpoint for your target Key Vault instance in Azure. The
+Private Endpoint must be network reachable by Vault. This means Vault needs to
+be running in the same virtual network or a peered virtual network to properly
+resolve the Key Vault domain name to the Private Endpoint IP address.
+
+The Private Endpoint configuration relies on a correct [Azure Private
+DNS](https://docs.microsoft.com/en-us/azure/dns/private-dns-overview)
 integration. From the host that Vault is running on, follow the steps in
-[Validate that the private link connection works](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal#validate-that-the-private-link-connection-works)
-to ensure that the Key Vault domain name resolves to the Private Endpoint IP address you've configured.
+[Validate that the private link connection
+works](https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal#validate-that-the-private-link-connection-works)
+to ensure that the Key Vault domain name resolves to the Private Endpoint IP
+address you've configured.
 
 ```shell-session
 $ nslookup <keyvault-name>.vault.azure.net
@@ -171,19 +150,20 @@ Aliases:  <keyvault-name>.vault.azure.net
           <keyvault-name>.privatelink.vaultcore.azure.net
 ```
 
-The secrets engine doesn't require special configuration to communicate with a Key Vault instance
-over an Azure Private Endpoint. For example, the given [KMS configuration](/vault/docs/secrets/key-management/azurekeyvault#configuration)
-will result in the secrets engine resolving a Key Vault domain name of `keyvault-name.vault.azure.net`
-to the Private Endpoint IP address. Note that it's possible to change the Key Vault DNS suffix using the
+The secrets engine doesn't require special configuration to communicate with a
+Key Vault instance over an Azure Private Endpoint. For example, the given [KMS
+configuration](/vault/docs/secrets/key-management/azurekeyvault#configuration)
+will result in the secrets engine resolving a Key Vault domain name of
+`keyvault-name.vault.azure.net` to the Private Endpoint IP address. Note that
+it's possible to change the Key Vault DNS suffix using the
 [environment](/vault/api-docs/secret/key-management/azurekeyvault#environment)
 configuration parameter or `AZURE_ENVIRONMENT` environment variable.
 
 
 ## Terraform example 
 
-If you are familiar with [Terraform](/terraform/), you can use it to deploy the necessary Azure infrastructure.
-
-**Example:**
+If you are familiar with [Terraform](/terraform/), you can use it to deploy the
+necessary Azure infrastructure.
 
 ```hcl
 provider "azuread" {
@@ -299,4 +279,3 @@ output "client_secret" {
   value = azuread_service_principal_password.key_vault_sp_pwd.value
 }
 ```
-