Get-AzPasswords ACRpasswords block of code throws an exception for the subscription scope Reader role.
Closed this issue · 2 comments
Hi,
I wanted to provide a PR for the Dump Azure Container Registry Admin passwords block of code. If the user that is conducting recon has only Reader permissions on the subscription scope, the Get-AzContainerRegistryCredential cmdlet in the Dump Azure Container Registry Admin passwords block of code will throw an exception and interrupt the script; I believe this is not the intended behavior.
Here is the proposed code:
if ($ACR -eq 'Y'){
# Container Registry Section
Write-Verbose "Getting List of Azure Container Registries..."
$registries = Get-AzContainerRegistry
$registries | ForEach-Object {
if ($.AdminUserEnabled -eq 'True'){
try{
$loginServer = $.LoginServer
$name = $_.Name
Write-Verbose "tGetting the Admin User password for $loginServer" $ACRpasswords = Get-AzContainerRegistryCredential -ResourceGroupName $_.ResourceGroupName -Name $name $TempTblCreds.Rows.Add("ACR-AdminUser",$_.LoginServer,$ACRpasswords.Username,$ACRpasswords.Password,"N/A","N/A","N/A","N/A","Password","N/A",$subName) | Out-Null $TempTblCreds.Rows.Add("ACR-AdminUser",$_.LoginServer,$ACRpasswords.Username,$ACRpasswords.Password2,"N/A","N/A","N/A","N/A","Password","N/A",$subName) | Out-Null } catch{Write-Verbose "
tuser does not have authorization to perform action Get-AzContainerRegistryCredential for container registry $name"}
}
}
}
The majority of the covered services in Get-AzPasswords require Contributor permissions on resources to run. I like the idea of throwing try/catch blocks on each service to get better error handling. Feel free to throw out a PR through the normal pull request process and I can get that merged in. Thanks!