Skip to main content

Common Misconfiguration

Exposed Azure service principal credentials and storage keys can compromise your entire Azure subscription.

Vulnerable Example

// VULNERABLE - Hardcoded Azure credentials
const { DefaultAzureCredential, ClientSecretCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");

// Never hardcode these!
const TENANT_ID = "72f988bf-86f1-41af-91ab-2d7cd011eb47";
const CLIENT_ID = "ad7e1c3a-c8ae-4bc5-b461-f495c6c5b1a2";
const CLIENT_SECRET = "8Q~.vR3fakeSecretHereXAMPLE123456";

// Hardcoded storage account key
const STORAGE_CONNECTION_STRING = "DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=lJzRc1YdHaAA2KCNJJ1tkYwF/+mKK6Ygw0JQV4f9WhvYgPxCPKH8SOQPSXQJmYL5xYFsx2cXtwFakeKey==;EndpointSuffix=core.windows.net";

// Hardcoded CosmosDB key
const cosmosConfig = {
    endpoint: "https://myaccount.documents.azure.com:443/",
    key: "C0sm0sDBFakeKeyHereXAMPLEKEY123456789==",
    database: "production"
};

const credential = new ClientSecretCredential(TENANT_ID, CLIENT_ID, CLIENT_SECRET);

Secure Example

// SECURE - Using managed identity and Key Vault
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");

// Use managed identity (no credentials needed)
const credential = new DefaultAzureCredential();

// Retrieve secrets from Key Vault
const keyVaultUrl = process.env.KEY_VAULT_URL;
const secretClient = new SecretClient(keyVaultUrl, credential);

async function getStorageConnectionString() {
    const secret = await secretClient.getSecret("storage-connection-string");
    return secret.value;
}

async function getCosmosDBConfig() {
    const endpoint = process.env.COSMOS_ENDPOINT;
    const keySecret = await secretClient.getSecret("cosmos-key");
    
    return {
        endpoint: endpoint,
        key: keySecret.value,
        database: process.env.DATABASE_NAME
    };
}

// Use environment variables for non-sensitive config
const config = {
    tenantId: process.env.AZURE_TENANT_ID,
    subscriptionId: process.env.AZURE_SUBSCRIPTION_ID
};

Detection Patterns

  • Azure Client Secret: [A-Za-z0-9~._-]{30,}
  • Storage Account Key: [A-Za-z0-9+/]{86}==
  • CosmosDB Key: [A-Za-z0-9+/]{86}==
  • Connection String (Storage): DefaultEndpointsProtocol=https;AccountName=[a-zA-Z0-9]+;AccountKey=[A-Za-z0-9+/]{86}==

Prevention Best Practices

  1. Use Managed Identity: Always prefer Managed Identities for resources like VMs, App Services, and Functions.
  2. Use Azure Key Vault: Store all secrets, keys, and connection strings in Azure Key Vault.
  3. Use App Configuration: Store non-sensitive configuration settings in Azure App Configuration.
  4. Implement RBAC: Use Role-Based Access Control (RBAC) to grant least-privilege access to Key Vault and other resources.
  5. Use Azure Policy: Enforce security standards, such as preventing the creation of public storage accounts.
  6. Rotate Secrets: Use Key Vault’s automated rotation features for secrets and keys.