services / Azure / Azure Automation Variable Asset
An Azure Automation variable asset is a named value stored in an Automation account and consumed by runbooks/DSC; variables can be plaintext or marked encrypted (secure).
Variables commonly hold operational config and, when not marked encrypted, are frequently misused to store connection strings, endpoints, and other sensitive values that the management-plane read returns in cleartext; encrypted variable values are NOT returned by the management API.
Microsoft.Automation/automationAccounts/variables/write
Creating/updating a variable alters operational values consumed by runbooks, letting an attacker poison config (e.g. redirect endpoints or change parameters) and manipulate automation behavior.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security