AKS Security - SIEM UseCase of Get Credentials

A SIEM usecase or forensic security alert for Azure Kubernetes Service AKS should be setup for az aks get-credentials as it reveals sensitive data of AKS.

Example for Azure Cloud Shell Bash:

azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ az aks get-credentials --resource-group rgaks04app23 --name AKS04
Merged "AKS04" as current context in /home/azureksmoq/.kube/config
azureksmoq [ ~ ]$ 
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ cat /home/azureksmoq/.kube/config
apiVersion: v1
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZ[...]RVJUSUZJQ0FURS0tLS0tCg==
    server: https://mykubernetescluster-dns-[...].hcp.eastus.azmk8s.io:443
  name: AKS04
- context:
    cluster: AKS04
    user: clusterUser_rgaks04app23_AKS04
  name: AKS04
current-context: AKS04
kind: Config
preferences: {}
- name: clusterUser_rgaks04app23_AKS04
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ[...]RS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJV[...]0VZLS0tLS0K
    token: bl0c8ko2[...]73m4ltf
azureksmoq [ ~ ]$ 
azureksmoq [ ~ ]$ 

This command can be helpful for developers or admins - but it is dual use as it reveals sensitive information. I recommend increasing your SIEM risk score or even make a use case with alerting.

Azure Documentation

Microsoft documentation for az aks get-credentials can be found here: https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials or see here: https://azure.github.io/kubelogin/quick-start.html. See also https://learn.microsoft.com/en-us/azure/aks/control-kubeconfig-access

Get access credentials for a managed Kubernetes cluster.

By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.

az aks get-credentials --name


Get access credentials for a managed Kubernetes cluster. (autogenerated)

az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--admin -a

Get cluster administrator credentials. Default: cluster user credentials.

default value: False

If specified, overwrite the default context name. The --admin parameter takes precedence over --context.

--file -f

Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.

default value: ~\.kube\config

Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.


Overwrite any existing cluster entry with the same name.

default value: False

Get private cluster credential with server address to be public fqdn.

default value: False
Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.


JMESPath query string. See http://jmespath.org/ for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.


No comments:

Post a Comment

Almost perfect protection for websites and other services - Mutual TLS

Its hard to secure your IT services and applications. The list of possible attacks is long, as shown in the Mitre Att&ck framework , the...