services / Azure / Web Apps slot Functions host keys

Functions host keys (including the host master key) are app-level bearer credentials that authorize invocation of any function in the app and administrative access to the Functions runtime.

The master/host key is admin-equivalent over the function app; functions invoked with it run under the app's assigned managed identity.


Microsoft.​Web/​Sites/​slots/​host/​listKeys/​action

Listing the host keys returns the actual secret key material (including the master key), yielding usable bearer credentials to invoke any function in the app and run code as the app's managed identity.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog