services / Azure / Azure Automation Variable Asset

An Azure Automation variable asset is a named value stored in an Automation account and consumed by runbooks/DSC; variables can be plaintext or marked encrypted (secure).

Variables commonly hold operational config and, when not marked encrypted, are frequently misused to store connection strings, endpoints, and other sensitive values that the management-plane read returns in cleartext; encrypted variable values are NOT returned by the management API.


Microsoft.​Automation/​automationAccounts/​variables/​delete

Deletes a variable asset, destroying stored automation config/state that runbooks depend on and potentially breaking the workflows that consume it.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Automation
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog