services / Azure / Web Apps Functions host function keys
Host-level function keys for a function app, bearer credentials valid across all functions in the app to authorize HTTP invocation.
Host-wide invocation credentials; invoking functions runs code under the app's (possibly managed) identity.
Microsoft.Web/sites/host/functionkeys/write
PUTting a host-level function key sets a known credential valid across the whole app (durable backdoor / persistence), enabling repeated invocation as the app identity (lateral); overwriting an existing host key alters/revokes the legitimate credential (manipulation).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog