services / Azure / API Management self-hosted gateways
A self-hosted gateway is a containerized API Management gateway registered with an APIM service instance that proxies and applies policies to API traffic for backend services, deployable outside Azure.
Gateways front a single API surface/function; their keys and tokens are connection credentials, and their configuration can embed backend secrets and named values.
Microsoft.ApiManagement/service/gateways/keys/action
Alias of listKeys that retrieves the gateway keys (credential material), enabling token generation and authentication as the gateway for impersonation and lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security