Accessing Data on Azure Storage Account using SFTP

The Secure File Transfer Protocol or SFTP has been one of the most secure and reliable ways to exchange files between two systems for as long as I can remember. Especially for system-to-system communications that require authentication using keys.

Storage accounts on the other hand are a more modern way to handle data, providing blob service along with the traditional SMB and NFS file shares. SMB and NFS are not suitable for communications over the public internet leaving us with blob as the only option - apart from deploying a Linux machine.  

Fortunately, Microsoft decided to add SFTP support to the blob service of the storage account. To enable the SFTP support for your storage account, you have to enable the hierarchical namespace feature and of course, the SFTP support, as shown in the below screenshot:

To confirm that the functionality has been enabled for your storage account, you may check the Settings of the storage account where a new blade named SFTP should be available:

SFTP access is only available for the blob service of the storage account. You can access containers and blobs, but not files in shares.

Using Storage Explorer I've created two containers named home and data respectively. I've also created a directory within home named user1 that will serve as the home directory of our first SFTP user.

The only way to authenticate against the storage account - at least up until now - is to use local users. These are accounts that are configured on the storage account, much like local users on a Linux machine. The ability to authenticate using Azure AD is being considered but not yet available.

To create a local user, navigate to the SFTP blade and click on the Add local user button:

In the new window, you have to specify the username and the authentication method. There are two options available, password and key. We'll go with the password option to keep things simple:

When you click next, you'll be presented with a screen to select the permissions to assign to the user on the containers that are currently available on the storage account:

Here I've decided to grant permission on both containers (data & home). On data I've assigned only the read permission, compared to home where I've granted all permissions.

You can optionally assign a home directory to the user in the format {container}/{directory}. I've created the user1 directory in the home container earlier for that particular reason!

The next screen is very important since it contains the password of the account that has been created and there is no other way to recover it:

Use the copy button to copy the password to a secure location! The user has now been created and we're ready to connect.

In the SFTP blade, we can now see the new user and the connection string we can use in order to connect to the storage account:

The first part of the connection string is the username and the second is the name of the server to connect to. Although not shown here, the name of the server is actually the blob endpoint of the storage account.

play

There is however another important thing I would like to mention. In the above example, we've set the user's home directory inside the home container. When the connection is established, the storage account will direct the connection to the appropriate container. If the home folder is not specified or we would like to connect to another container, we have to specify it in the connection string and the username part in particular. In our case it would be cpolydorousftp.data.user1@cpolydorousftp.blob.core.windows.net following the format  {myaccount}.{mycontainer}.{myusername}@{myaccount}.blob.core.windows.net, just like below:

At the time of the writing of this post, the SFTP support is still in preview. The GA version of the functionality may differ.

You have now connected to the blob service using SFTP!

Popular posts from this blog

Domain Controller Machine Password Reset

Managing Active Directory User Certificates using PowerShell

Configuring a Certificate on Exchange Receive Connector