Azure Service Management Certificate

ID

azure_management_certificate

Severity

high

Vendor

Microsoft

Family

API Token

Description

The Azure Service Management Certificate is used to authenticate with the management API.

Security

Any hardcoded Azure Service Management Certificate is a potential secret reported by this detector.

Accidentally checking-in the certificate to source control repositories could compromise the Azure DevOps account and data.

Suspicious activity could be detected by reviewing the Azure Platform Logs.

Examples

export AZURE_MANAGEMENT_CERTIFICATE=b6eme6inskhw4fze5vpy...

Mitigation / Fix

  1. Remove the Azure Service Management Certificate from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Keys can be rotated from Azure portal, PowerShell and Azure CLI.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

Reference

https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create