Skip to content

Cloud Credentials Field Manual

Azure Container Instances

datadog/cloud-credentials-field-manual

Azure Container Instances

Azure Container Instances is a platform to run serverless containers with hypervisor isolation.

Property	Value
Credentials delivery mechanism	Served through link-local metadata service
Protection type	Header requires hardcoded value
Exploitation primitives	`Query arbitrary URL with arbitrary HTTP header`

Extracting credentials

You can call the metadata service at 169.254.169.254. It requires the Metadata HTTP header to be set to true.

Extracting credentials for a system-assigned managed identity

curl -H "Metadata: true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net"

Extracting credentials for a user-assigned managed identity

In this case, you need to know the client ID associated with the user-assigned managed identity. The application needs this value to function, so it should typically be available as an environment variable or in a configuration file.

CLIENT_ID=...

```bash
curl -H "Metadata: true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.core.windows.net&client_id=$CLIENT_ID"

Selecting the `resource` parameter to use

The choice of the resource parameter value to use depends on the subsequent APIs you want to try calling. The metadata service returns a JWT with the audience (aud) set to this resource parameter.

Known valid values and their associated API documentation:

Resource URL	Description
`https://management.azure.com/`	Azure REST API (AzureRM)
`https://management.core.windows.net/`	Azure REST API (Azure Classic)
`https://vault.azure.net/`	Azure Key Vault REST API
`https://servicebus.windows.net/`	Service Bus REST API (data plane)
`https://batch.core.windows.net/`	Azure Batch REST API (data plane)
`https://storage.azure.com`	Azure Storage REST API (data plane)
`https://managedhsm.azure.net/`	Azure Managed HSMs REST API
`https://graph.microsoft.com`	Microsoft Graph API
`https://graph.windows.net/`	Azure AD Graph API (deprecated)