services / Azure / API Management named values (properties)

Named values (properties) in an Azure API Management service are constant string values referenced across all API configurations and policies; they may be plain or secret-typed.

Secret-typed named values commonly store API keys, connection strings, and backend credentials; control-plane reads mask secret values (a separate listSecrets action returns them).


Microsoft.​ApiManagement/​service/​properties/​listSecrets/​action

Returns the cleartext secret value of a named value, which commonly holds API keys, connection strings, or backend credentials, enabling credential exfiltration and reuse against the systems those secrets authenticate to.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog