-
Notifications
You must be signed in to change notification settings - Fork 0
Env Vars
env-vars is the workload-configuration-signal command for AzureFox.
Use it when you need to know which workloads expose configuration that looks secret-bearing, trust-changing, or useful for the next pivot.
- Which workloads expose the most interesting configuration?
- Which settings point toward secrets, downstream services, or trust relationships?
- Which app should you review first for credential or dependency clues?
azurefox env-vars --output tableFor saved structured output:
azurefox env-vars --output json| workload | kind | setting | value type | signal | next review |
|---|---|---|---|---|---|
app-public-api |
AppService |
DB_PASSWORD |
plain-text |
sensitive-name |
Check tokens-credentials first. |
func-orders |
FunctionApp |
PAYMENT_API_KEY |
keyvault-ref |
sensitive-name; keyvault-ref |
Check keyvault, then managed-identities. |
app-public-api |
AppService |
API_BASE_URL |
plain-text |
- |
Check managed-identities. |
- when app and function configuration may reveal the next step faster than general inventory
- after
inventoryortokens-credentialssuggests an app-heavy environment - when you need to prioritize workloads based on their configuration signal
- plain-text secret or credential-shaped settings
- connection strings and endpoint references
- Key Vault references
- workloads with many high-signal variables compared to the rest of the estate
Configuration often reveals the next hop even when the value itself is masked or not meant to be treated as loot.
Setting names, references, and surrounding workload context can show where an application pulls secrets from, what downstream services it depends on, and which workload deserves deeper review before you spend time on lower-value apps.
- explicit secret and credential signals
- connection-oriented settings and downstream dependency clues
- workloads with many high-signal variables
- enough explanation to show why a workload is interesting without dumping every setting
- If you see a plain-text secret-like setting such as
DB_PASSWORDorAzureWebJobsStorage, go next totokens-credentialsbecause it ranks that workload as a direct credential or token surface. - If you see a
reference_targetthat points to Key Vault, go next tokeyvaultbecause it shows the network and authorization boundary of the secret store behind that setting. - If the setting belongs to a Function App or App Service with managed identity, go next to
managed-identitiesbecause it shows whether that same workload also carries an Azure token path.
- Prioritize workloads whose configuration exposes clear secret, dependency, or trust signals.
- Pair configuration clues with the command that best explains the backing secret store, token path, or workload identity.
- Treat this as a ranking surface, not a reason to read every setting in every app.
env-vars is a configuration-signal command.
It should surface the workloads with the most meaningful configuration clues. It is not a bulk secret-retrieval or full-value dump workflow.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)