services / Azure / Web App hostruntime function keys
Function access keys exposed via the Function App host runtime endpoint; despite the /read verb these are the actual invocation credentials.
These keys authorize function invocation and code execution as the app identity, so the read returns usable secret material.
Microsoft.Web/Sites/hostruntime/functions/keys/read
Returns function keys via the host runtime, exporting credential material that authorizes function invocation and code execution as the app.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog