Blob storage now supports SSH File Transfer Protocol (SFTP). This allows us to use SFTP for file access, transfer, and management. In this post, I will show you how to enable an SFTP endpoint for your blob storage account and configure local user identities to authenticate and connect your storage account with SFTP over port 22.
Prerequisites
- The hierarchical namespace feature of the account must be enabled. To enable the hierarchical namespace feature, you should Upgrade your Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities. Check out this link.
- Check that you have the latest version of the Az.Storage module.
Azure PowerShell Workaround
Check out this link if you want to know how to install the PowerShell Azure module on your machine.
The simplest way to get started is to sign in interactively at the command line.
1 2 3 | Connect-AzAccount |
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
1 2 3 4 | Get-AzSubscription Select-AzSubscription -Subscription "My Subscription" |
Once you set your default subscription, you’re ready to start.
Set the variables
Here we define our environment’s characteristics and the resources’ names.
1 2 3 4 5 6 | $resourceGroupName = "RG-DEMO-WE" $stoAccountName = "storagedemowe" $userName = "sftpuserdemo" $containerName="sftpdemocontainer" |
Enable Secure File Transfer Protocol (SFTP) for the Azure Storage account
First, to enable SFTP support, you should use the Set-AzStorageAccount cmdlet and set the -EnableSftp parameter to true.
1 2 3 | Set-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $stoAccountName -EnableSftp $true |
Define the scope of permissions
Once the SFTP feature is enabled, you need to create a permission scope object to set the containers you want to grant access to and the level of access you want. To do this, you must use the New-AzStorageLocalUserPermissionScope cmdlet with the following syntax.
1 2 3 4 5 | $permissionScopeBlob = New-AzStorageLocalUserPermissionScope -Permission rwl ` -Service blob ` -ResourceName $containerName |
The -Permission parameter allows the combination of the following values: Read(r), Write (w), Delete (d), List (l), and Create (c).
Create a local user
Azure Blob storage doesn’t support Azure AD authentication or authorization via SFTP. Instead, SFTP uses a new form of identity management called local users.
To create a local user, you should use the Set-AzStorageLocalUser cmdlet. Set the -PermissionScope parameter to the permission scope object you created in the previous step.
1 2 3 4 5 6 7 | $localuser = Set-AzStorageLocalUser -ResourceGroupName $resourceGroupName ` -AccountName $stoAccountName ` -UserName $userName ` -HomeDirectory "sftpdemocontainer/" ` -PermissionScope $permissionScopeBlob |
Check the set values using the following commands.
1 2 3 4 | $localuser | format-list $localuser.PermissionScopes | format-table |
Authentication methods
Authentication methods for local users connecting via SFTP are a password or a Secure Shell (SSH) public-private key pair. You can configure both forms of authentication and allow connecting local users to choose which one to use.
Set the local user password
If you want to use a password to authenticate the local user, you must create a password using the New-AzStorageLocalUserSshPassword cmdlet with the following syntax.
1 2 3 4 5 | $localuserPassword = New-AzStorageLocalUserSshPassword -ResourceGroupName $resourceGroupName ` -StorageAccountName $stoAccountName ` -UserName $userName |
Important: As you have seen, you cannot set custom passwords; Azure generates one for you. You should note that you will not be able to recover that Azure password again. If you lose it, you will need to generate a new password.
1 2 3 | $localuserPassword |
Using the above command, you get the generated password.
Set the SSH configuration of the local user
Suppose you choose to authenticate with a public-private key pair. In that case, you can either generate one, use one already stored in Azure, or provide Azure with the public key from an existing public-private key pair, as shown in the following example.
To use an existing SSH key, create a public key object using the New-AzStorageLocalUserSshPublicKey cmdlet. Set the -Key parameter to a string that contains the key type and public key and
1 2 3 4 | $sshkey = "ssh-rsa..." $sshkey = New-AzStorageLocalUserSshPublicKey -Key $sshkey -Description "My demo ssh public key" |
To set authentication via SSH public-private key pair, you should use the Set-AzStorageLocalUser cmdlet with the following syntax. Set the -PermissionScope parameter to the permission scope object you created earlier and the -SshAuthorization parameter to the public key object you created in the previous step. If you want to keep a password to authenticate this local user, set the -HasSshPassword parameter to $true.
1 2 3 4 5 6 7 8 9 10 | $localuser = Set-AzStorageLocalUser -ResourceGroupName $resourceGroupName ` -StorageAccountName $stoAccountName ` -UserName $UserName ` -HomeDirectory "sftpcontainer" ` -SshAuthorizedKey $sshkey ` -PermissionScope $permissionScopeBlob ` -HasSshKey $true ` -HasSshPassword $true |
Check the set values using the following commands.
1 2 3 4 5 | $localuser | Format-List $localuser.SshAuthorizedKeys | Format-List $localuser.PermissionScopes | Format-Table |
Connect to storage account using SFTP client
Finally, you can use any SFTP client to connect and transfer files securely.
1 2 3 | sftp storagedemowe.sftuserdemo@storagedemowe.blob.core.windows.net |
Note that for the SFTP command, the username must be used following the format storage_account_name.username.
Disable Secure File Transfer Protocol (SFTP) for the Storage account
You should use the following command to disable the SFTP feature on your storage account and local users.
1 2 3 4 5 6 | Set-AzStorageAccount -ResourceGroupName $resourceGroupName ` -Name $stoAccountName ` -EnableSftp $false ` -EnableLocalUser $false |
Azure CLI Workaround
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.
Here we define our environment’s characteristics and the resources’ names.
1 2 3 4 5 6 | resourceGroupName="RG-DEMO-WE" stoAccountName="storagedemowe" userName="sftpuser" containerName="sftpdemocontainer" |
Enable Secure File Transfer Protocol (SFTP) for the Azure Storage account
First, to enable SFTP support, you should use the following command and set the –enable-sftp parameter to true.
1 2 3 | az storage account update -g $resourceGroupName -n $stoAccountName --enable-sftp=true |
Create a local users
Azure Blob storage doesn’t support Azure AD authentication or authorization via SFTP. Instead, SFTP uses a new form of identity management called local users. To create a local user, specify the home directory and set the permission scope for that user; you should use the following command.
1 2 3 4 5 6 7 | az storage account local-user create --account-name $stoAccountName \ -g $resourceGroupName \ -n $userName \ --home-directory $containerName \ --permission-scope permissions=rwl service=blob resource-name=$containerName |
Authentication methods
Authentication methods for local users connecting via SFTP are a password or a Secure Shell (SSH) public-private key pair. You can configure both forms of authentication and allow connecting local users to choose which one to use.
Set the local user password
To enable password authentication for the local user, you should use the following command.
1 2 3 4 5 6 7 | az storage account local-user update --account-name $stoAccountName \ -g $resourceGroupName \ -n $userName \ --has-ssh-password true |
And then, use the following command to get the generated password.
1 2 3 4 5 | az storage account local-user regenerate-password --account-name $stoAccountName \ -g $resourceGroupName \ -n $userName |
Important: As you have seen, you cannot set custom passwords; Azure generates one for you. You should note that you will not be able to recover that Azure password again. If you lose it, you will need to generate a new password.
Set the SSH configuration of the local user
You should use the following command to enable authentication via SSH public-private key pair. You are setting the parameters –has-ssh-key to allow this type of authentication and –has-ssh-key to specify the SSH key in a string containing the key type and the public key. If you want to keep password authentication to authenticate this local user, set the –has-ssh-password parameter to true.
1 2 3 4 5 6 7 8 | az storage account local-user update --account-name $stoAccountName \ -g $resourceGroupName \ -n $userName \ --ssh-authorized-key key="ssh-rsa..." \ --has-ssh-key true \ --has-ssh-password true |
To get shared and ssh authorized keys for a local user, use the following command.
1 2 3 4 5 | az storage account local-user list-keys --account-name $stoAccountName \ -g $resourceGroupName \ -n $userName |
Connect to storage account using SFTP client
Finally, you can use any SFTP client to connect and transfer files securely. Note that for the SFTP command, the username must be used following the format storage_account_name.username.
1 2 3 | sftp storagedemowe.sftuserdemo@storagedemowe.blob.core.windows.net |
Disable Secure File Transfer Protocol (SFTP) for the Storage account
Use the following command to update a storage account by disabling Sftp and the local user.
1 2 3 4 5 6 | az storage account update -g $resourceGroupName \ -n $stoAccountName \ --enable-sftp=true \ --enable-local-user=false |
Thanks for reading my post. I hope you find it helpful.
Check out this link if you want to know more about SFTP support for Azure Blob Storage.
