services / Azure / Web Apps slot Functions host keys
Functions host keys (including the host master key) are app-level bearer credentials that authorize invocation of any function in the app and administrative access to the Functions runtime.
The master/host key is admin-equivalent over the function app; functions invoked with it run under the app's assigned managed identity.
Microsoft.Web/Sites/slots/host/listKeys/action
Listing the host keys returns the actual secret key material (including the master key), yielding usable bearer credentials to invoke any function in the app and run code as the app's managed identity.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog