Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP) (preview)

You can securely connect to the Blob Storage endpoint of an Azure Storage account by using an SFTP client, and then upload and download files. This article shows you how to enable SFTP, and then connect to Blob Storage by using an SFTP client.

To learn more about SFTP support in Azure Blob Storage, see SSH File Transfer Protocol (SFTP) in Azure Blob Storage.

Important

SFTP support is currently in PREVIEW and is available in these regions.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

To enroll in the preview, complete this form AND request to join via 'Preview features' in Azure portal.

Prerequisites

  • A standard general-purpose v2 or premium block blob storage account. You can also enable SFTP as you create the account. For more information on these types of storage accounts, see Storage account overview.

  • The account redundancy option of the storage account is set to either locally-redundant storage (LRS) or zone-redundant storage (ZRS).

  • The hierarchical namespace feature of the account must be enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.

  • If you're connecting from an on-premises network, make sure that your client allows outgoing communication through port 22. The SFTP uses that port.

Register the feature

Before you can enable SFTP support, you must register the SFTP feature with your subscription.

  1. Sign in to the Azure portal.

  2. Open the configuration page of your subscription.

  3. Under Settings, select Preview features.

    Preview setting

  4. In the Preview features page, select the AllowSFTP feature, and then select Register.

Verify feature registration

Verify that the feature is registered before continuing with the other steps in this article.

  1. Open the Preview features page of your subscription.

  2. Locate the AllowSFTP feature and make sure that Registered appears in the State column.

Enable SFTP support

  1. In the Azure portal, navigate to your storage account.

  2. Under Settings, select SFTP.

    Note

    This option appears only if the hierarchical namespace feature of the account has been enabled. To enable the hierarchical namespace feature, see Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities.

  3. Select Enable SFTP.

    Enable SFTP button

    Note

    If no local users appear in the SFTP configuration page, you'll need to add at least one of them. To add local users, see the next section.

Configure permissions

Azure Storage does not support shared access signature (SAS), or Azure Active directory (Azure AD) authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. To grant access to a connecting client, the storage account must have an identity associated with the password or key pair. That identity is called a local user.

In this section, you'll learn how to create a local user, choose an authentication method, and then assign permissions for that local user.

To learn more about the SFTP permissions model, see SFTP Permissions model.

  1. In the Azure portal, navigate to your storage account.

  2. Under Settings, select SFTP, and then select Add local user.

    Add local users button

  3. In the Add local user configuration pane, add the name of a user, and then select which methods of authentication you'd like associate with this local user. You can associate a password and / or an SSH key.

    Important

    While you can enable both forms of authentication, SFTP clients can connect by using only one of them. Multifactor authentication, whereby both a valid password and a valid public and private key pair are required for successful authentication is not supported.

    If you select Secure with a password, then your password will appear when you've completed all of the steps in the Add local user configuration pane.

    If you select Secure with SSH public key, then select Add key source to specify a key source.

    Local user configuration pane

    The following table describes each key source option:

    Option Guidance
    Generate a new key pair Use this option to create a new public / private key pair. The public key is stored in Azure with the key name that you provide. The private key can be downloaded after the local user has been successfully added.
    Use existing key stored in Azure Use this option if you want to use a public key that is already stored in Azure. To find existing keys in Azure, see List keys. When SFTP clients connect to Azure Blob Storage, those clients need to provide the private key associated with this public key.
    Use existing public key Use this option if you want to upload a public key that is stored outside of Azure. If you don't have a public key, but would like to generate one outside of Azure, see Generate keys with ssh-keygen.
  4. Select Next to open the Container permissions tab of the configuration pane.

  5. In the Container permissions tab, select the containers that you want to make available to this local user. Then, select which types of operations you want to enable this local user to perform.

    Container permissions tab

  6. In the Home directory edit box, type the name of the container or the directory path (including the container name) that will be the default location associated with this this local user.

    To learn more about the home directory, see Home directory.

  7. Select the Add button to add the local user.

    If you enabled password authentication, then the Azure generated password appears in a dialog box after the local user has been added.

    Important

    You can't retrieve this password later, so make sure to copy the password, and then store it in a place where you can find it.

    If you chose to generate a new key pair, then you'll be prompted to download the private key of that key pair after the local user has been added.

Connect an SFTP client

You can use any SFTP client to securely connect and then transfer files. The following screenshot shows a Windows PowerShell session that uses Open SSH and password authentication to connect and then upload a file named logfile.txt.

Connect with Open SSH

Note

You might be prompted to trust a host key. During the public preview, valid host keys are published here.

After the transfer is complete, you can view and manage the file in the Azure portal.

Uploaded file appears in storage account

Note

The Azure portal uses the Blob REST API and Data Lake Storage Gen2 REST API. Being able to interact with an uploaded file in the Azure portal demonstrates the interoperability between SFTP and REST.

See the documentation of your SFTP client for guidance about how to connect and transfer files.

See also