Assuming I already have a Storage Account SAS URI configured. How can I connect from outside the network to that Storage Account and which file sharing client should I use? What values do I need to configure it and where are they in the Storage Account - Azure AD? How do I give different permissions to different users? By Roles?
I tried to create a Storage Account SAS URI and a Shared Access Key. I tried connecting from WinSCP using those endpoints. I can't find the username and password. Do you know a method similar to this, but that works?
Many Thanks
If you enable SFTP for Azure Blob Storage, you will have an endpoint that you can access via WinSCP and the ability to create users with differing permissions to control access.
Related
I need an SFTP server hosted on Azure. The important thing is that it should support multiple user accounts and their management at runtime ( via an interface or API), i.e. password reset, account blocking/unblocking (preferably user groups also).
I have found some guides on how to set up an SFTP server on Azure:
https://learn.microsoft.com/en-us/samples/azure-samples/sftp-creation-template/sftp-on-azure/
https://charbelnemnom.com/how-to-deploy-sftp-service-on-microsoft-azure/
Their major drawback is that every change ( addition of a new user, password update etc.) requires a new deployment which is not acceptable.
Also, there is an SFTP functionality for the Azure Blob Storage:
https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support
This functionality is still in preview and allows only to add local users in the Azure portal. Unfortunately, other - more advanced features like account blocking etc - are missing. It is also not possible to manage the user accounts from the code.
There exist some products on Azure marketplace provided by external companies, like Azure SFTP Gateway which supports all functionalities listed above. I am not sure about the further maintenance of these products and I couldn't find any information about SLA or similar things for these products.
I would like to ask if there is a reliable resource or a way to set up a resource that could serve as an SFTP server and meet the requirements listed above? If there is no explicit solution, maybe there is a way to integrate an SFTP server with a database or do something else?
Presently, we only support the SFTP for Azure Blob Storage.
SFTP for Azure Blob Storage supports multiple local user accounts and container-level permissions. You can use the Portal, ARM, PowerShell or CLI to manage users, permissions and passwords/keys. You can also disable individual users by disabling ssh key and password authentication.
Connect to Azure Blob Storage using SFTP (preview) | Microsoft Docs
az storage account local-user | Microsoft Docs
I am trying to create Azure Billing Export via Portal Azure with the use of SAS token. I want to export costs from tenant A to storage container in tenant B.
I have generated SAS token in storage account with help of this tutorial, with only change of expire date extension. In storage account there is enabled "Allow storage account key access" configuration.
I am able to connect to storage account via Storage Explorer with use of generated SAS token, but when I try to create export there is error:
Export creation failed.SAS token access to user storage is not supported.
I can't find anything about this error in MS Azure documentation and also anywhere in the web.
I generated token by Azure CLI, storage account Shared access signature, container Shared access signature and Storage Explorer.
I have not generated User Delegation SAS, because I need long term access.
The problem was caused by lack of needed permissions to perform that action. I don't know which role gives permissions to do that, Global Admin helped a lot.
From the Azure portal I would like to programmatically and periodically create a service SAS token. Once a token has been created it should expire in one week and a new token also valid for one week will be created and so on. I was reading this article https://learn.microsoft.com/it-it/azure/storage/blobs/sas-service-create?tabs=dotnet but I am not very sure about where that code should run, in a Azure VM? I can't give internet access to the VM
The code from the article can be run from any compute service.
If that is the sole purpose of the compute resource, I would pick Logic Apps to have everything managed for you; it may have a connector to do it or you can embed some JavaScript.
Should that not be sufficient, I would use an Azure Function.
You can also use a VM if that is more suitable and restrict/block its internet access.
If you need to restrict internet access, you must be sure your blob storage is reachable, your options are:
Open whichever firewall/NSG to that storage account
Using service endpoints, service endpoint policies
Project a Private Link endpoint into the VNET from the storage
Can we provide access to blobs or containers or storage accounts using Azure Active Directory? I have tried to add using AAD but is not permitting to add storage account.
Can we provide access to blobs or containers or storage accounts using
Azure Active Directory?
As of today, it is not possible to provide Azure AD based access to blobs/containers in a storage account. Access to these resources is controlled by storage account keys.
What you can do is restrict the access to management operations on these storage accounts by Azure AD so that only authorized users get access to account keys.
No, I'm afraid that you cannot do that.
https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-how-to-use-files#file-storage-faq
The closest solution you can have is to use shared access keys
https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1
Cheers,
Toan Nguyen
Update: this is possible today.
https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad
I'm using Azure Storage Explorer to connect to storage accounts that I've created by hand on Azure. However when I go to browse the storage account that was created by Azure when I created a Media Services account, I'm unable to connect to it.
I'm using blob.core.windows.net as the storage endpoint domain, and setting the storage account name and storage account key to be the same as Azure has defined it in the dashboard, but attempts to connect (with or without HTTPS) result in a 502-Bad Gateway HTTP error.
I'd like an easy way to browse all media files I've created without having to write special code. Has anyone been able to get this to work?
All storage accounts regardless the way they are being created are browsable with Storage Explorer!
For such storage accounts, created when you Create Media Services, you have to use the Storage Account Name and Storage Account Key, but not the Media Service Account Name and Media Service Account Key! You will not be able to access Storage service with Media Key and vice-versa.
When you create a Media Services account, one/multiple storage accounts could be attached to a particular media services account. Let's say your account name is "MediaStorage123". I believe you need to pass the following data to storage explorer:
Account name/key: this can be found in the bottom of your storage account page in Azure portal: press Manage Key button you will see the data.
storage endpoint domain: Not sure why you need this, but if so, you can see the information in Dashboard of your media services account: https://xxx.blob.core.windows.net/.
Hope this helps.
Just for the record, In my case (with the use of proxy) I had do install a previous version of the Azure Storage Explorer