services / Azure / Azure Automation credential asset
An Azure Automation credential asset stores a username/password pair within an Automation account that runbooks and DSC configurations use to authenticate to external systems and resources.
The password value is write-only via ARM and is only retrievable from inside a runbook (Get-AutomationPSCredential); the control plane never returns the secret. The asset still represents a stored service-account identity.
Microsoft.Automation/automationAccounts/credentials/write
Creating or updating a credential asset lets an attacker plant attacker-controlled username/password material that runbooks authenticate with (persistence) or overwrite existing credentials to poison downstream automation (manipulation).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security