services / Azure / API Management tenant access keys

The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values).

These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.


Microsoft.​ApiManagement/​service/​Tenants/​keys/​read

The control-plane read covers the listSecrets POST, which returns the live primaryKey/secondaryKey values (confirmed by the AccessInformationSecretsContract schema); these credentials let an attacker authenticate to the APIM Management/Git endpoint and move laterally into service administration.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog