services / Azure / Container registry task runs

The ACR Tasks run records of an Azure Container Registry, representing build/task execution jobs and their properties, status, and logs.

Run records are build-pipeline operational metadata; some run-scoped actions (log SAS URLs) expose credential and log material.


Microsoft.​ContainerRegistry/​registries/​runs/​listLogSasUrl/​action

Returns a pre-authenticated SAS URL granting out-of-band access to a run's build logs, yielding both credential-bearing token material and log contents that can leak secrets.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerRegistry
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog