services / Azure / API Management user subscription keys
The subscription/API access keys (primary and secondary) associated with an API Management developer/user identity. These keys authenticate API calls made as that user.
These are live, reusable credentials; possession grants the user's authenticated access to the published APIs.
Microsoft.ApiManagement/service/users/keys/read
Returns the user's subscription keys (credential material), enabling credential exfiltration and impersonation of that user's authenticated API access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog