Skip to main content

SFTP Users for Storage Accounts - Part 2

ยท 3 min read
Hasan Gural

Welcome back folks! In the previous blog post SFTP Users for Storage Accounts - Part 1, we have created a Bicep template to deploy an Azure Storage Account and initialize the blob service. In this blog post, we will continue to extend the Bicep template to create containers and local users for the sftp access.

๐Ÿ“ Create Containersโ€‹

To create containers, we need to add a new resource to our Bicep template. The resource type for the container is Microsoft.Storage/storageAccounts/blobServices/containers. We will use the local variable that was defined and explained in the previous blog post. When using this local variable, we must use a loop to iterate over it.

// Create the containers
resource stfpStorageAccountContainers 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = [

for (item, idx) in containers: {

parent: stfpStorageAccountBlobService
properties: {
publicAccess: 'None'




Please append the code provided above to the Bicep template we created in the previous blog post. They must be cumulative. I want to avoid repeating content in this post.


The containers local variable is defined as an array of objects. We are using the for loop to iterate over the containers array.

๐Ÿ’ฌ Create Local Usersโ€‹

I have not executed the Bicep template yet. In the meantime, I wanted to add local users resource block to the Bicep template. We will use the Microsoft.Storage/storageAccounts/localUsers resource type to create local users. Let me add the code block to the Bicep template.

// Sftp users for the containers
resource storagesftUsers 'Microsoft.Storage/storageAccounts/localUsers@2023-01-01' = [

for (user, idx) in sftpUsers: {

parent: stfpStorageAccount
properties: {
hasSshPassword: true
hasSharedKey: false
hasSshKey: false
homeDirectory: '/'
permissionScopes: [
permissions: 'rwldc'
service: 'blob'
resourceName: '${user.containerName}'


Alright, we now have a Bicep template that creates a StorageAccount, BlobService, Containers, and LocalUsers. It seems we're all set to execute the Bicep template. Before we proceed with the actual deployment, I'm keen to see the result using the what-if command.

For this validation, I use the Deployment Pane in Visual Studio Code, which offers a seamless experience for executing the what-if command and viewing its results. The screenshot below is showcasing the outcome of the what-if operation:


Once we deploy the Bicep template, we should see the following resources in the Azure portal:

  • Storage Account
  • Blob Service
  • Containers (container01, container02)
  • Sftp Users (user01, user02, user03, user04)


If we take a closer look at each user, we can focus on the permission section. Here, we can notice that the permissions for the containers have been sorted. Users will have access exclusively to the containers that are explicitly defined for them.


That wraps up this blog post. We've made significant progress, and I hope you found the insights useful. Stay tuned for the next blog post, where we'll conclude this series with the final part. It's going to be an exciting leap forward!