services / Azure / AKS managed cluster access profile (kubeconfig credentials)
An AKS managed cluster access profile for a named role (e.g. clusterAdmin/clusterUser), which embeds the kubeconfig containing client certificate/token credential material for authenticating to the Kubernetes API.
Returns reusable cluster credentials; clusterAdmin yields full cluster-admin control of the Kubernetes control plane, workloads, and in-cluster secrets/identities.
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
This listCredential action returns the cluster access profile's kubeconfig credential for a named role, directly exfiltrating secret material that an attacker redeems for full authenticated control of the Kubernetes cluster.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security