services / Azure / Container registry credential sets

A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity.

Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.


Microsoft.​ContainerRegistry/​registries/​credentialSets/​write

Creating/updating a credential set binds a managed identity and points upstream authentication at attacker-chosen Key Vault secrets, enabling identity-backed lateral access, persistent control over the credential configuration, and manipulation of the registry's pull pipeline.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog