How to enable SFTP support for an Azure storage account

Blob storage now supports SSH File Transfer Protocol (SFTP). This allows us to use SFTP for file access, transfer, and management. In this post, I will show you how to enable an SFTP endpoint for your blob storage account and configure local user identities to authenticate and connect your storage account with SFTP over port 22.

Prerequisites

• The hierarchical namespace feature of the account must be enabled. To enable the hierarchical namespace feature, you should Upgrade your Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities. Check out this link.
• Check that you have the latest version of the Az.Storage module.

Azure PowerShell Workaround #

Check out this link if you want to know how to install the PowerShell Azure module on your machine. The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start.

Set the variables #

Here we define our environment’s characteristics and the resources’ names.

$resourceGroupName = "RG-DEMO-WE"
$stoAccountName = "storagedemowe"
$userName = "sftpuserdemo"
$containerName="sftpdemocontainer"

Enable Secure File Transfer Protocol (SFTP) for the Azure Storage account #

First, to enable SFTP support, you should use the Set-AzStorageAccount cmdlet and set the -EnableSftp parameter to true.

Set-AzStorageAccount `
    -ResourceGroupName $resourceGroupName `
    -Name $stoAccountName `
    -EnableSftp $true

Define the scope of permissions #

Once the SFTP feature is enabled, you need to create a permission scope object to set which containers you want to grant access to and what level of access you want. To do this, you must use the New-AzStorageLocalUserPermissionScope cmdlet with the following syntax.

$permissionScopeBlob = New-AzStorageLocalUserPermissionScope `
    -Permission rwl `
    -Service blob `
    -ResourceName $containerName

The -Permission parameter allows the combination of the following values: Read(r), Write (w), Delete (d), List (l), and Create (c).

Create a local user #

Azure Blob storage doesn’t support Azure AD authentication or authorization via SFTP. Instead, SFTP uses a new form of identity management called local users. To create a local user, you should use the Set-AzStorageLocalUser cmdlet. Set the -PermissionScope parameter to the permission scope object you created in the previous step.

$localuser = Set-AzStorageLocalUser `
    -ResourceGroupName $resourceGroupName `
    -AccountName $stoAccountName `
    -UserName $userName `
    -HomeDirectory "sftpdemocontainer/" `
    -PermissionScope $permissionScopeBlob

Check the set values using the following commands.

$localuser | format-list
$localuser.PermissionScopes | format-table

Authentication methods #

Authentication methods for local users connecting via SFTP are a password or a Secure Shell (SSH) public-private key pair. You can configure both forms of authentication and allow connecting local users to choose which one to use.

Set the local user password #

If you want to use a password to authenticate the local user, you must create a password using the New-AzStorageLocalUserSshPassword cmdlet with the following syntax.

$localuserPassword = New-AzStorageLocalUserSshPassword `
    -ResourceGroupName $resourceGroupName `
    -StorageAccountName $stoAccountName `
    -UserName $userName

Important: As you have seen, you cannot set custom passwords; Azure generates one for you. You should note that you will not be able to recover that Azure password again. If you lose it, you will need to generate a new password.

$localuserPassword

Using the above command, you get the generated password.

Set the SSH configuration of the local user #

If you choose to authenticate with a public-private key pair, you can either generate one, use one already stored in Azure, or provide Azure with the public key from an existing public-private key pair, as shown in the following example. To use an existing SSH key, create a public key object using the New-AzStorageLocalUserSshPublicKey cmdlet. Set the -Key parameter to a string that contains the key type and public key and

$sshkey = "ssh-rsa..."
$sshkey = New-AzStorageLocalUserSshPublicKey `
    -Key $sshkey `
    -Description "My demo ssh public key"

To set authentication via SSH public-private key pair, you should use the Set-AzStorageLocalUser cmdlet with the following syntax. Set the -PermissionScope parameter to the permission scope object you created earlier and the -SshAuthorization parameter to the public key object you created in the previous step. If you want to keep a password to authenticate this local user, set the -HasSshPassword parameter to $true.

$localuser = Set-AzStorageLocalUser `
    -ResourceGroupName $resourceGroupName `
    -StorageAccountName $stoAccountName `
    -UserName $UserName `
    -HomeDirectory "sftpcontainer" `
    -SshAuthorizedKey $sshkey `
    -PermissionScope $permissionScopeBlob `
    -HasSshKey $true `
    -HasSshPassword $true

Check the set values using the following commands.

$localuser | Format-List
$localuser.SshAuthorizedKeys | Format-List
$localuser.PermissionScopes | Format-Table

Connect to storage account using SFTP client #

Finally, you can use any SFTP client to connect and transfer files securely.

sftp storagedemowe.sftuserdemo@storagedemowe.blob.core.windows.net

Note that for the SFTP command, the username must be used following the format storage_account_name.username.

Disable Secure File Transfer Protocol (SFTP) for the Storage account #

You should use the following command to disable the SFTP feature on your storage account and local users.

Set-AzStorageAccount `
    -ResourceGroupName $resourceGroupName `
    -Name $stoAccountName `
    -EnableSftp $false `
    -EnableLocalUser $false

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. Here we define our environment’s characteristics and the resources’ names.

resourceGroupName="RG-DEMO-WE"
stoAccountName="storagedemowe"
userName="sftpuser"
containerName="sftpdemocontainer"

Enable Secure File Transfer Protocol (SFTP) for the Azure Storage account #

First, to enable SFTP support, you should use the following command and set the –enable-sftp parameter to true.

az storage account update \
-g $resourceGroupName \
-n $stoAccountName \
--enable-sftp=true

Create a local users #

Azure Blob storage doesn’t support Azure AD authentication or authorization via SFTP. Instead, SFTP uses a new form of identity management called local users. To create a local user, specify the home directory and set the permission scope for that user; you should use the following command.

az storage account local-user create \
--account-name $stoAccountName \
-g $resourceGroupName \
-n $userName \
--home-directory $containerName \
--permission-scope permissions=rwl service=blob resource-name=$containerName

Authentication methods #

Authentication methods for local users connecting via SFTP are a password or a Secure Shell (SSH) public-private key pair. You can configure both forms of authentication and allow connecting local users to choose which one to use.

Set the local user password #

To enable password authentication for the local user, you should use the following command.

az storage account local-user update \
--account-name $stoAccountName \
-g $resourceGroupName \
-n $userName \
--has-ssh-password true

And then, use the following command to get the generated password.

az storage account local-user regenerate-password \
--account-name $stoAccountName \
-g $resourceGroupName \
-n $userName

Important: As you have seen, you cannot set custom passwords; Azure generates one for you. You should note that you will not be able to recover that Azure password again. If you lose it, you will need to generate a new password.

Set the SSH configuration of the local user #

You should use the following command to enable authentication via SSH public-private key pair. You are setting the parameters --has-ssh-key to allow this type of authentication and --has-ssh-key to specify the SSH key in a string containing the key type and the public key. If you want to keep password authentication to authenticate this local user, set the --has-ssh-password parameter to true.

az storage account local-user update \
--account-name $stoAccountName \
-g $resourceGroupName \
-n $userName \
--ssh-authorized-key key="ssh-rsa..." \
--has-ssh-key true \
--has-ssh-password true

To get shared and ssh authorized keys for a local user, use the following command.

az storage account local-user list-keys \
--account-name $stoAccountName \
-g $resourceGroupName \
-n $userName

Connect to storage account using SFTP client #

Finally, you can use any SFTP client to connect and transfer files securely. Note that for the SFTP command, the username must be used following the format storage_account_name.username.

sftp [email protected]

Disable Secure File Transfer Protocol (SFTP) for the Storage account #

Use the following command to update a storage account by disabling Sftp and the local user.

az storage account update \
-g $resourceGroupName \
-n $stoAccountName \
--enable-sftp=true \
--enable-local-user=false

Thanks for reading my post. I hope you find it helpful. Check out this link if you want to know more about SFTP support for Azure Blob Storage.