Document Details

Storage Auth Abac Examples
Home / Scan 48 / Storage Auth Abac Examples
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation page provides detailed examples for configuring Azure role assignment conditions for Blob Storage, with a strong emphasis on Azure PowerShell for all command-line and scripting examples. There are no examples using cross-platform or Linux-native tools (such as Azure CLI, Bash, or REST API via curl), and all scripting guidance is provided exclusively in PowerShell syntax. This creates a Windows-centric bias, as PowerShell is primarily associated with Windows environments, even though it is available cross-platform. The lack of Linux/Unix-native examples may hinder adoption or ease-of-use for users on non-Windows platforms.
Recommendations:
  • Add equivalent Azure CLI (az) command examples for all PowerShell snippets, as Azure CLI is cross-platform and widely used on Linux and macOS.
  • Where scripting is shown (e.g., for testing conditions), provide Bash or shell script examples alongside PowerShell.
  • For REST-based operations, include curl or HTTP request examples to demonstrate how to interact with the API from any platform.
  • Explicitly mention that PowerShell examples are cross-platform, but clarify how to install and use PowerShell Core on Linux/macOS if retaining PowerShell as a primary example.
  • Consider reordering or presenting Azure CLI and Bash examples before or alongside PowerShell to avoid the perception of Windows-first bias.
  • Audit all sections to ensure Linux users can follow the documentation without needing to translate PowerShell commands themselves.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-19 00:01 #85 completed ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-12 23:44 #41 in_progress ❌ Biased

Flagged Code Snippets

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Contributor" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $containerName = "container1" $vnetName = "virtualnetwork1" $subnetName = "default" $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) ` ) ` OR ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' ` AND ` @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru
$grantedContainer = "contosocorp" # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Try to get ungranted blobs # Wrong name but right tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "AlpineFile.txt" -Context $bearerCtx # Right name but wrong tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logsAlpine.txt" -Context $bearerCtx # Try to get granted blob $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logs/AlpineFile.txt" -Context $bearerCtx