18 thoughts on “Enable SFTP Support for Azure Blob Storage”

Leave a comment...

  1. Thanks for the detailed information on creating SFTP Enabled Storage Account. For some reason, I am not able to deploy the resources using the provided ARM template. Even I am getting the same error while deploying it through the Azure Portal. Are you facing the same issue?

    Below are the error details:

    Error: Code=InvalidRequestPropertyValue; Message=The value ‘True’ is not allowed for property isSftpEnabled.

  2. Hello Vinod, thanks for the comment and feedback!
    I am not facing the same issue as you described above.
    Did you register and enable SFTP in your subscription? You must register the SFTP feature with your subscription as described in the prerequisites section.
    Hope this helps!

  3. Yes, I have enabled it. Please see below for your reference:

    PS C:\WINDOWS\system32> Get-AzProviderFeature -FeatureName “AllowSFTP” -ProviderNamespace “Microsoft.Storage”

    FeatureName ProviderName RegistrationState
    ———– ———— —————–
    AllowSFTP Microsoft.Storage Registered

  4. Thank you Vinod for confirming!
    In which region are you trying to enable SFTP for Azure Blob?
    Did you deploy a new storage account or use an existing one?

  5. Yes, it is an issue with the Region. For some reason I am not able to deploy this template in West Europe region, which is specified by default in the template. The deployment is working fine when I changed it to East US2.

  6. Thank you Vinod for confirming it’s working now!
    I suspect it’s a region issue since SFTP for Blob is not enabled for all Azure regions yet. However, West Europe was announced as supported.
    Thanks!

  7. Thanks for the info, we have an issue with the container permissions. We would like to have access to upload files but only new files, without read and delete the existing files in the container.
    What permission do we need to set? Create and List? Create, List, and Read? others?

    Thank You!

  8. Hello Vincent, thanks for the comment!
    Please refer to the permissions table descriptions in this section.
    In your case, you need to have the “Create“, and “List” only without “Read” permissions. And if you don’t want the user to see the existing files, you may also remove “List” and keep only the “Create” permission.
    Hope this helps!

  9. Hi Charbel,

    Good job, well detailed the process.
    Would you know if using Putty I would also be able to access the SFTP in Storage Blob?

  10. Hello Eliaquim, thanks for the comment!
    Yes, you could use Putty to access the SFTP in Storage Blob.

    Here are the details:
    Download PuTTY (psftp.exe only). In Command Prompt, navigate to download location.
    Connect as follows:

    psftp.exe testaccount.user1@testaccount.blob.core.windows.net -pw "enter password here"

    Trust the server when prompted. You’re now connected!

    Follow the examples below for a quick intro to the SFTP commands:
    > See a list of commands: psftp> help
    > Print local working directory: psftp> lpwd
    > Change remote directory with absolute path: psftp> cd /test
    > List contents of remote directory: psftp> ls
    > Make a new local directory: psftp> !mkdir demo
    > Change local directory: psftp> !cd demo
    > Download a file: psftp> get demo.txt
    > Open file locally: psftp> !notepad demo.txt

    Hope this helps!

  11. I tried and tested this successfully myself. Az still missing one key SFTP function and that is an SFTP client with functionality to be able to interact (upload/download) to a third party’s hosted SFTP site. So far stuck with the IaaS solution to install WinSCP onto a VDI… not ideal when the desire is to use infrastructure as a code model.

  12. How can I set my storage account SKU type as ZRS? under my storage account configuration, I only see 3 options under replication:

    LRS
    GRS
    RA-GRS

    asking this to figure out the Redundancy and security of this feature (if we should use this for our PROD environment).

    also, I know that in order to use SFTP, we have to upgrade to Azure Data Lake Storage Gen2.

    Is this any different than Azure blob Storage? Again exploring to figure out the safest option possible.

  13. Hello Abhay, thanks for the comment!
    To set the storage account SKU type as ZRS, this has to be done when you create the storage account and not afterward.
    You cannot set the replication option to ZRS after the storage account is created. You need to set it during the creation wizard.
    The Data Lake Storage Gen2 hierarchical namespace accelerates big data analytics workloads and enables file-level access control lists (ACLs). It has more advanced options than Azure blob Storage.
    Azure Data Lake Storage Gen2 organizes objects (files) into a hierarchy of directories and subdirectories in the same way that the file system on your computer is organized. The hierarchical namespace scales linearly and doesn’t degrade data capacity or performance.
    Hope this helps!

  14. Hello Charbel,

    Thank you for the detailed write-up. Quick question about permissions, is there a way to control folder list permissions specifically in the root folder of the container. Let’s say I have a home folder per user in the container but I don’t want other users to see or access other users’ home folders?

    Thanks,
    Rino

  15. Hello Rino, thanks for the comment!
    Please note that setting file/folder level permissions (including home directory) is NOT currently possible. As a workaround, you would have to create a container per local user and then give other users read/list access to it.
    Hopefully, Microsoft will improve this behavior in the future.
    Stay Tuned!

  16. Got it, thank you for confirming Charbel. Looks like I will have to go the route of using a container per local user.

  17. Thank you very much for all the information, it was really helpful to have it.
    One question: Is it possible to use the “generate new key pair” functionality that we see in the portal, through arm templates?

    Thank you,
    Denisa

  18. Hello Denisa, thanks for the comment!
    Yes, this should be completely possible.
    The ARM template must be updated to handle this option. However, we need to wait until the SFTP service becomes generally available (GA).
    We will update the article once this capability is available.
    Thanks!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!