services / Azure / Kubernetes Secrets (AKS data plane)
Kubernetes Secret objects within an AKS managed cluster holding credential material: service-account tokens, passwords, TLS private keys, connection strings, and registry/pull credentials.
Highest-sensitivity in-cluster asset; secrets directly grant identity access and are usable across cluster functions.
Microsoft.ContainerService/managedClusters/secrets/write
Creating/updating Secrets lets an attacker plant or overwrite credentials/tokens that workloads mount and consume, establishing persistence and enabling lateral movement as the identities those secrets authenticate.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security