az sftp

Note

This reference is part of the sftp extension for the Azure CLI (version 2.75.0 or higher). The extension will automatically install the first time you run an az sftp command. Learn more about extensions.

Generate SSH certificates and access Azure Storage blob data via SFTP.

These commands allow you to generate certificates and connect to Azure Storage Accounts using SFTP.

PREREQUISITES:

Azure Storage Account with SFTP enabled
Appropriate RBAC permissions (Storage Blob Data Contributor or similar)
Azure CLI authentication (az login)
Network connectivity to Azure Storage endpoints

The SFTP extension provides two main capabilities:

Certificate generation using Azure AD authentication (similar to 'az ssh cert')
Fully managed SFTP connections to Azure Storage with automatic credential handling

AUTHENTICATION MODES:

Fully managed: No credentials needed - automatically generates SSH certificate
Certificate-based: Use existing SSH certificate file
Key-based: Use SSH public/private key pair (generates certificate automatically)

This extension closely follows the patterns established by the SSH extension.

Commands

Name	Description	Type	Status
az sftp cert	Generate SSH certificate for SFTP authentication.	Extension	GA
az sftp connect	Access Azure Storage blob data via SFTP.	Extension	GA

az sftp cert

Generate SSH certificate for SFTP authentication.

Generate an SSH certificate that can be used for authenticating to Azure Storage SFTP endpoints. This uses Azure AD authentication to generate a certificate similar to 'az ssh cert'.

CERTIFICATE NAMING:

Generated certificates have '-aadcert.pub' suffix (e.g., id_rsa-aadcert.pub)
Certificates are valid for a limited time (typically 1 hour)
Private keys are generated with 'id_rsa' name when key pair is created

The certificate can be used with 'az sftp connect' or with standard SFTP clients.

az sftp cert [--file]
             [--public-key-file]
             [--ssh-client-folder]

Examples

Generate a certificate using an existing public key

az sftp cert --public-key-file ~/.ssh/id_rsa.pub --file ~/my_cert.pub

Generate a certificate and create a new key pair in the same directory

az sftp cert --file ~/my_cert.pub

Generate a certificate with custom SSH client folder

az sftp cert --file ~/my_cert.pub --ssh-client-folder "C:\Program Files\OpenSSH"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--file -f

The file path to write the SSH cert to, defaults to public key path with -aadcert.pub appended.

--public-key-file -p

The RSA public key file path. If not provided, generated key pair is stored in the same directory as --file.

--ssh-client-folder

Folder path that contains ssh executables (ssh-keygen, ssh). Default to ssh executables in your PATH or C:\Windows\System32\OpenSSH on Windows.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az sftp connect

Access Azure Storage blob data via SFTP.

Establish an SFTP connection to an Azure Storage Account.

AUTHENTICATION MODES:

Fully managed (RECOMMENDED): Run without credentials - automatically generates SSH certificate and establishes connection. Credentials are cleaned up after use.
Certificate-based: Use existing SSH certificate file. Certificate must be generated with 'az sftp cert' or compatible with Azure AD authentication.
Key-based: Provide SSH keys - command will generate certificate automatically from your keys.

CONNECTION DETAILS:

Username format: {storage-account}.{azure-username}
Port: Uses SSH default (typically 22) unless specified with --port
Endpoints resolved automatically based on Azure cloud environment:
- Azure Public: {storage-account}.blob.core.windows.net
- Azure China: {storage-account}.blob.core.chinacloudapi.cn
- Azure Government: {storage-account}.blob.core.usgovcloudapi.net

SECURITY:

Generated credentials are automatically cleaned up after connection
Temporary files stored in secure temporary directories
OpenSSH handles certificate validation during connection.

az sftp connect --storage-account
                [--certificate-file]
                [--port]
                [--private-key-file]
                [--public-key-file]
                [--sftp-args]
                [--ssh-client-folder]

Examples

Connect with automatic certificate generation (fully managed - RECOMMENDED)

az sftp connect --storage-account mystorageaccount

Connect to storage account with existing certificate

az sftp connect --storage-account mystorageaccount --certificate-file ~/my_cert.pub

Connect with existing SSH key pair

az sftp connect --storage-account mystorageaccount --public-key-file ~/.ssh/id_rsa.pub --private-key-file ~/.ssh/id_rsa

Connect with custom port

az sftp connect --storage-account mystorageaccount --port 2222

Connect with additional SFTP arguments for debugging

az sftp connect --storage-account mystorageaccount --sftp-args="-v"

Connect with custom SSH client folder (Windows)

az sftp connect --storage-account mystorageaccount --ssh-client-folder "C:\Program Files\OpenSSH"

Connect with custom connection timeout

az sftp connect --storage-account mystorageaccount --sftp-args="-o ConnectTimeout=30"

Required Parameters

--storage-account -s

Azure Storage Account name for SFTP connection. Must have SFTP enabled.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--certificate-file -c

Path to SSH certificate file for authentication. Must be generated with "az sftp cert" or compatible Azure AD certificate. If not provided, certificate will be generated automatically.

--port

SFTP port. If not specified, uses SSH default port (typically 22).

--private-key-file -i

Path to RSA private key file. If provided without certificate, a certificate will be generated automatically from this key.

--public-key-file -p

Path to RSA public key file. If provided without certificate, a certificate will be generated automatically from this key.

--sftp-args

Additional arguments to pass to the SFTP client. Example: "-v" for verbose output, "-b batchfile.txt" for batch commands, "-o ConnectTimeout=30" for custom timeout.

--ssh-client-folder

Path to folder containing SSH client executables (ssh, sftp, ssh-keygen). Default: Uses executables from PATH or C:\Windows\System32\OpenSSH on Windows.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

Feedback

Was this page helpful?

Share via

az sftp

Commands

az sftp cert

Examples

Optional Parameters

az sftp connect

Examples

Required Parameters

Optional Parameters

Feedback