Skip to content

Azure Functions

Azure Functions is a serverless platform.

Property Value
Credentials delivery mechanism Served through link-local metadata service
Protection type Header requires value from environment variable
Exploitation primitives Query arbitrary URL and Read environment variables

Extracting credentials

The Azure Functions runtime injects an environment variable $IDENTITY_HEADER that contains a randomly-generated token. This token needs to be passed in the X-IDENTITY-HEADER HTTP header when calling the metadata service.

The $IDENTITY_ENDPOINT environment variable contains the URL of the metadata service, which should generally be http://169.254.255.2:8081/msi/token.

Extracting credentials for a system-assigned managed identity

curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
    "$IDENTITY_ENDPOINT?resource=https://management.core.windows.net&api-version=2019-08-01"

Extracting credentials for a user-assigned managed identity

In this case, you need to know the client ID associated with the user-assigned managed identity. The application needs this value to function, so it should typically be available as an environment variable or in a configuration file.

CLIENT_ID=...

curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
    "$IDENTITY_ENDPOINT?resource=https://management.core.windows.net&api-version=2019-08-01&client_id=$CLIENT_ID"

Selecting the resource parameter to use

The choice of the resource parameter value to use depends on the subsequent APIs you want to try calling. The metadata service returns a JWT with the audience (aud) set to this resource parameter.

Known valid values and their associated API documentation:

Resource URL Description
https://management.azure.com/ Azure REST API (AzureRM)
https://management.core.windows.net/ Azure REST API (Azure Classic)
https://vault.azure.net/ Azure Key Vault REST API
https://servicebus.windows.net/ Service Bus REST API (data plane)
https://batch.core.windows.net/ Azure Batch REST API (data plane)
https://storage.azure.com Azure Storage REST API (data plane)
https://managedhsm.azure.net/ Azure Managed HSMs REST API
https://graph.microsoft.com Microsoft Graph API
https://graph.windows.net/ Azure AD Graph API (deprecated)