services / Azure / Container registry credential sets

A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity.

Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.


Microsoft.​ContainerRegistry/​registries/​credentialSets/​delete

Deleting a credential set removes the authentication configuration that cache rules depend on, breaking upstream pull-through caching as a DoS-like disruption of supporting infrastructure.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog