Document Details
Queues Auth Abac Examples
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
missing_linux_example
⚠️
windows_tools
Summary:
The documentation page provides detailed examples for Azure Queue Storage role assignment conditions, but all command-line examples are exclusively in Azure PowerShell. There are no examples using cross-platform tools such as Azure CLI, Bash, or scripting languages commonly used on Linux. This creates a bias toward Windows users and environments, as PowerShell is the default shell on Windows and not always the preferred or available tool on Linux systems. The documentation also references 'AzurePowerShell' in its metadata, reinforcing this bias.
Recommendations:
- Add equivalent Azure CLI (az) command examples for all scenarios currently shown with PowerShell. Azure CLI is cross-platform and widely used on Linux and macOS.
- Where scripting is shown, provide both PowerShell and Bash (or at least shell-agnostic) script snippets for common operations.
- Explicitly mention that all examples are possible on Linux and macOS, and provide guidance or links for setting up the required tools on those platforms.
- Review metadata and custom tags (such as 'devx-track-azurepowershell') to ensure they do not imply exclusivity to Windows/PowerShell.
- Where possible, include screenshots or walkthroughs using the Azure CLI Cloud Shell, which is available in the Azure Portal and supports both Bash and PowerShell.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-19 00:01 | #85 | completed | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
Flagged Code Snippets
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
Get-AzStorageQueue -Name <queueName> -Context $bearerCtx
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals 'sample-queue'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Queue Data Contributor"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$queueName = "sample-queue"
$vnetName = "sample-vnet"
$subnetName = "default"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/write'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals '$queueName' `
AND `
@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Queue Data Reader"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$queueName = "sample-queue"
$dateTime = "2023-05-01T13:00:00.000Z"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/read'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals '$queueName' `
AND `
@Environment[UtcNow] DateTimeGreaterThan '$dateTime' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru