services / Azure / Container registry credential sets
A credential set on an Azure Container Registry stores the configuration used to authenticate to an upstream registry for pull-through cache rules, referencing Key Vault secret URIs for the upstream credentials and binding a (typically user-assigned) managed identity.
Reading exposes auth wiring and the identity binding but not the raw secret values, which are held in Key Vault; writing can repoint authentication and bind an attacker-influenced identity.
Microsoft.ContainerRegistry/registries/credentialSets/write
Creating/updating a credential set binds a managed identity and points upstream authentication at attacker-chosen Key Vault secrets, enabling identity-backed lateral access, persistent control over the credential configuration, and manipulation of the registry's pull pipeline.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security