MicrosoftDocs
diff --git a/‎articles/azure-netapp-files/media/object-rest-api-access-configure/create-bucket.png‎
-100 KB b/‎articles/azure-netapp-files/media/object-rest-api-access-configure/create-bucket.png‎
-100 KB
diff --git a/‎articles/azure-netapp-files/object-rest-api-access-configure.md‎
Lines changed: 94 additions & 33 deletions b/‎articles/azure-netapp-files/object-rest-api-access-configure.md‎
Lines changed: 94 additions & 33 deletions
@@ -11,7 +11,7 @@ ms.author: anfdocs
 
 # Configure object REST API in Azure NetApp Files (preview)
 
-Azure NetApp Files supports access to S3 objects with the [object REST API](object-rest-api-introduction.md) feature. With the object REST API, you can connect to services such as Azure AI Search, Microsoft Fabric (Foundry), Azure Databricks, OneLake, and other S3‑compatible clients.
+Azure NetApp Files supports access to S3 objects with the [object REST API](object-rest-api-introduction.md) feature. With the object REST API, you can connect to services such as Azure AI Search, Microsoft Fabric, Microsoft Foundry, Azure Databricks, OneLake, and other S3‑compatible clients.
 
 This article describes how to configure object REST API access and walks you through the two supported certificate workflows. Choose the workflow that best matches your security and operational requirements.
 
@@ -26,7 +26,7 @@ Azure NetApp Files supports two mutually exclusive certificate workflows for obj
 1. **Azure Key Vault–based certificates (recommended)**: Certificates are created and stored in Azure Key Vault and the certificate is retrieved directly from Azure Key Vault during bucket creation. 
 1. **Direct certificate upload**: PEM certificates are generated locally and uploaded manually during bucket creation. 
 
->IMPORTANT
+> [!IMPORTANT]
 > The workflow you select determines the certificate format you must generate (PKCS#12 vs PEM), how the certificate is supplied during bucket creation, and how access credentials are generated and retrieved.
 
 You must select one of the following workflows:
@@ -35,6 +35,8 @@ You must select one of the following workflows:
 
 Use this option if you want Azure NetApp Files to read the certificate directly from Azure Key Vault during bucket creation. 
 
+See the [Azure Key Vault documentation for adding a certificate to Key Vault](/key-vault/certificates/quick-create-portal#add-a-certificate-to-key-vault).
+
 When creating the certificate in Azure Key Vault, ensure:
 
 * **Content Type**: PKCS#12 
@@ -43,17 +45,22 @@ When creating the certificate in Azure Key Vault, ensure:
 
 :::image type="content" source="./media/object-rest-api-access-configure/create-certificate.png" alt-text="Screenshot of create certificate options." lightbox="./media/object-rest-api-access-configure/create-certificate.png":::
 
+Once the certificate is successfully created, click on the certificate from the list and review the properties.
+
+* In the Certificate identifier field, note the URI of the certificate “https://<vault_name>.azure.net”
+* Note the name of the certificate 
+
 ### Required Azure Key Vault permissions
 
 To avoid bucket creation failures, ensure that the Azure NetApp Files service has permission to read the certificate from Azure Key Vault. 
 
 At a minimum, the following permissions must be granted:
 
-* Certificates: Get, List
-* Secrets: Get (PKCS#12 certificates are accessed as secrets)
+* Certificates: Get, List, Update, Create, Import, Manage Certificate Authorities, Get Certificate Authorities, List Certificate Authorities, Set Certificate Authorities, Delete Certificate Authorities   
+* Secrets: Get, List, Set, Delete (PKCS#12 certificates are accessed as secrets)
 
->NOTE
->If these permissions are missing, bucket creation fails when Azure NetApp Files attempts to retrieve the certificate.
+> [!NOTE]
+> If these permissions are missing, bucket creation fails when Azure NetApp Files attempts to retrieve the certificate.
 
 
 ### Option 2: Direct certificate upload
@@ -100,7 +107,7 @@ After the certificate is created, you will need to create a bucket.
 
 ## Create a bucket
 
-To enable object REST API, you must create a bucket. 
+To enable object REST API, you must create a bucket on an Azure NetApp Files volume. 
 
 1. From your NetApp volume, select **Buckets**. 
 1. Select **+Create**. 
@@ -132,30 +139,100 @@ To enable object REST API, you must create a bucket.
 
         Select Read or Read-Write. 
 
+    :::image type="content" source="./media/object-rest-api-access-configure/create-bucket.png" alt-text="Screenshot of create a bucket menu." lightbox="./media/object-rest-api-access-configure/create-bucket.png":::
+
+1. Select **Save**. 
+
+    Additional details are needed to create the first bucket on a set of volumes sharing the same IP address.
+    
+    **Certificate management**
+
     * **Fully qualified domain name**
 
         Enter the endpoint FQDN used by clients to access the buckets. 
 
-    :::image type="content" source="./media/object-rest-api-access-configure/create-bucket.png" alt-text="Screenshot of create a bucket menu." lightbox="./media/object-rest-api-access-configure/create-bucket.png":::
+    **Certificate source**
 
-    * **Certificate source**
+    * **Azure Key Vault**
 
-        * **Azure Key Vault**
+        * **Vault URI**
 
             Select the **Vault URL** and **Certificate name** option to use a certificate stored in Azure Key Vault.
-            
-        * **Upload certificate**
 
-            Select the **certificate** option to upload a certificate file directly.               
+        * **Secret name**
+
+            Enter the name of the certificate 
+           
+    * **Upload certificate**
+
+        Select the **certificate** option to upload a certificate file directly.      
+
+        If you haven't provided a certificate, upload the PEM file in the **Certificate source**. 
 
-    * **Credentials storage**
+    **Credentials storage**
+
+    * **Azure Key Vault**
+
+        * **Vault URI**
+
+            Select the name from the drop-down list.
+
+        * **Secret name**
+
+            Enter the name of the certificate. The secret name is user-defined and can be any value.
+            
+    * **Access key**
+
+        Select access key to indicate this bucket will use keys. 
 
-        Displayed in portal or stored in Azure Key Vault.
-  
-1. Select **Create**. 
+        Access keys are generated after the bucket is created and are displayed once in the Azure portal. You must manually copy both these values and store them securely.
+
+1. Select **Save** to validate the configuration.
+
+1. Select **Create** to provision the bucket.
 
 After you create a bucket, you need to generate credentials to access the bucket.
 
+## Generate credentials
+
+The credential generation behavior depends on the credential storage option you selected.
+
+1. Navigate to the newly created bucket. 
+
+1. Select **Generate credentials**.
+
+1. Enter the desired access key lifespan in days and then select **Generate credentials**.
+
+    **Azure Key Vault–based**
+
+    * The credentials are generated and stored securely in Azure Key Vault.
+    * The credentials and are not displayed in the Azure portal. 
+    * You should retrieve the credentials directly from the configured Key Vault.
+
+    After the credential are generated, perform the following:
+
+    1. Ensure that the secret is created in the specified Key Vault.
+    1. Verify the secret:
+
+        1. Navigate to your key vault in the Azure portal.
+        1. Select **Objects** then select **Secrets**.
+        1. Confirm that <secret_name> has been created.
+
+    **Direct certificate upload**
+
+    When using direct certificate upload:
+
+    * The access key and secret access key are displayed once in the Azure portal.
+    * You should copy and store both the values securely. 
+    * The credentials cannot be retrieved again after the initial display.
+
+    **Regenerating credentials**
+
+    After the credentials are set, you can generate new credentials by selecting the three dots (`…`) on the bucket and choosing **Generate credentials**.
+
+    > [!IMPORTANT]
+    > Generating new credentials immediately invalidates existing credentials.
+
 ## Update bucket access
 
 You can modify a bucket's access management settings.
@@ -164,7 +241,6 @@ You can modify a bucket's access management settings.
 * Group ID
 * Permissions
 
-
 1. From your NetApp volume, select **Buckets**.
 1.	Select **+Create**.
 1.	Enter the name of the bucket you want to modify.
@@ -174,21 +250,6 @@ You can modify a bucket's access management settings.
 > [!NOTE]
 > You cannot modify a bucket’s path. To update a bucket’s path, delete and re-create the bucket with the new path.
 
-## Generate credentials
-
-The credential generation behavior depends on the workflow you selected.
-
-### Azure Key Vault–based
-
-The credentials are generated and stored securely in Azure Key Vault and are not displayed in the portal. You should retrieve the credentials directly from the configured Key Vault.
-
-### Direct certificate upload  
-
-The credentials are displayed once in the Azure portal. You should copy and store them securely. The credentials cannot be retrieved again after the initial display.
-
->IMPORTANT
->Generating new credentials immediately invalidates existing credentials.
-
 
 ## Delete a bucket