Welcome the third part of the blog series SFTP Users for Storage Accounts. In the previous blog post SFTP Users for Storage Accounts - Part 2, we have created containers and local users for the SFTP access. In this blog post, we will use the Azure API to generate the sftp credentials for the local users.
๐ Generate SFTP Credentialsโ
As you might recall, we have successfully templated our requirements for the SFTP storage account, creating the containers and local users in the process. Now, it's time to generate the SFTP credentials for these local users.
To facilitate this, I plan to add an output section to our Bicep template, graping the sftpUsers array. This will allow us to use the sftpUsers array in PowerShell to generate the SFTP credentials.
// Generate output so we can use the sftpUsers array in PowerShell
output resourceId string = stfpStorageAccount.id
output sftpUsers array = [for user in sftpUsers: user.name]
- The
resourceIdoutput will be used to get the storage account id in PowerShell and form the API request. - The
sftpUsersoutput will be used to generate the SFTP credentials for the local users.
๐ป Generate SFTP Credentials with PowerShellโ
I've made a script using the New-AzResourceGroupDeployment cmdlet to deploy the Bicep template and generate SFTP credentials for the local users. The script's logic is as follows:
- Deploy the Bicep template using the New-AzResourceGroupDeployment cmdlet.
- Retrieve the storage account ID from deployment output.
- Retrieve the sftpUsers array from deployment output.
- Construct the API request to generate the SFTP credentials for the local users using the regeneratePassword API endpoint.
$deploymentResult = New-AzResourceGroupDeployment -ResourceGroupName '{RGNAME}' `
-TemplateFile 'PATH_TO_BICEP_TEMPLATE' `
if ($null -ne $deploymentResult.Outputs.sftpUsers) {
# Initialize to store the sftp username and password
$sftUsers = @()
# Get the sftp users from the deployment result
$sftpUsers = $deploymentResult.Outputs.sftpUsers.Value
$resourceId = $deploymentResult.Outputs.resourceId.Value
ForEach($user in $sftpUsers) {
$uri = "https://management.azure.com/$($resourceId)/localUsers/$($user)/regeneratePassword?api-version=2023-01-01"
try{
$request = Invoke-AzRestMethod -Uri $uri -Method POST
$sshPassword = $request.Content | ConvertFrom-Json | Select-Object -ExpandProperty sshPassword
Write-Output "Regenerated password for user: $($user)"
$obj = [PSCustomObject]@{
Username = $user
Password = $sshPassword
}
$sftUsers += $obj
}
catch {
Write-Host "Failed to regenerate password for user: $($user)"
}
}
Write-Output "List of SFTP users and their passwords:"
$sftUsers
}
After running the script, we'll have the SFTP credentials for the local users in PowerShell Console. These credentials enable us to access the SFTP. I'll leave the integration part up to you, as your requirements may be different. A recommended practice after executing the script would be to securely store the credentials in Key Vault or another secure vault. This will ensure that security posture is maintained.
๐งโ๐ป Example Outputโ
Username Password
-------- --------
user01 Av****************************c
user02 fE****************************t
user03 GJ****************************l
user04 RM****************************V
We have come to the end of the series. Before concluding, I'd like to mention another approach for generating SFTP credentials. You can use DeploymentScripts within Bicep to manage everything internally, allowing you to execute AZ_CLI or Azure PowerShell commands directly against the resources.
See you in the next blog post!