services / Azure / Kubernetes Secrets (AKS data plane)
Kubernetes Secret objects within an AKS managed cluster holding credential material: service-account tokens, passwords, TLS private keys, connection strings, and registry/pull credentials.
Highest-sensitivity in-cluster asset; secrets directly grant identity access and are usable across cluster functions.
Microsoft.ContainerService/managedClusters/secrets/read
Reading Secrets returns the actual credential material, enabling direct exfiltration of cryptographic/credential data and reuse of those credentials to assume other identities and take over accounts.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security