services / Azure / Web App hostruntime function keys

Function access keys exposed via the Function App host runtime endpoint; despite the /read verb these are the actual invocation credentials.

These keys authorize function invocation and code execution as the app identity, so the read returns usable secret material.


Microsoft.​Web/​Sites/​hostruntime/​functions/​keys/​read

Returns function keys via the host runtime, exporting credential material that authorizes function invocation and code execution as the app.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog