services / Azure / AKS managed cluster access profile (kubeconfig credentials)
An AKS managed cluster access profile for a named role (e.g. clusterAdmin/clusterUser), which embeds the kubeconfig containing client certificate/token credential material for authenticating to the Kubernetes API.
Returns reusable cluster credentials; clusterAdmin yields full cluster-admin control of the Kubernetes control plane, workloads, and in-cluster secrets/identities.
Microsoft.ContainerService/managedClusters/accessProfiles/read
Getting the access profile by role name returns the embedded kubeconfig credential, exporting reusable certificate/token material that grants direct authenticated Kubernetes API access (often cluster-admin) and pivot into the cluster's workloads and identities.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security