Document Details
Storage Auth Abac Examples
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
powershell_heavy
missing_linux_example
windows_tools
Summary
The documentation page provides detailed examples for configuring Azure role assignment conditions for Blob Storage, with a strong emphasis on Azure PowerShell for all command-line and scripting examples. There are no examples using cross-platform or Linux-native tools (such as Azure CLI, Bash, or REST API via curl), and all scripting guidance is provided exclusively in PowerShell syntax. This creates a Windows-centric bias, as PowerShell is primarily associated with Windows environments, even though it is available cross-platform. The lack of Linux/Unix-native examples may hinder adoption or ease-of-use for users on non-Windows platforms.
Recommendations
- Add equivalent Azure CLI (az) command examples for all PowerShell snippets, as Azure CLI is cross-platform and widely used on Linux and macOS.
- Where scripting is shown (e.g., for testing conditions), provide Bash or shell script examples alongside PowerShell.
- For REST-based operations, include curl or HTTP request examples to demonstrate how to interact with the API from any platform.
- Explicitly mention that PowerShell examples are cross-platform, but clarify how to install and use PowerShell Core on Linux/macOS if retaining PowerShell as a primary example.
- Consider reordering or presenting Azure CLI and Bash examples before or alongside PowerShell to avoid the perception of Windows-first bias.
- Audit all sections to ensure Linux users can follow the documentation without needing to translate PowerShell commands themselves.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
Biased
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
 Clean
|
| 2025-08-19 00:01 | #85 | completed |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Biased
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
Flagged Code Snippets
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Contributor"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$containerName = "container1"
$vnetName = "virtualnetwork1"
$subnetName = "default"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' `
AND `
@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
$grantedContainer = "contosocorp" # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Try to get ungranted blobs # Wrong name but right tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "AlpineFile.txt" -Context $bearerCtx # Right name but wrong tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logsAlpine.txt" -Context $bearerCtx # Try to get granted blob $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logs/AlpineFile.txt" -Context $bearerCtx