We are excited to announce the general availability of ACLs (Access Control Lists) for Azure Blob Storage SFTP local users. ACLs make it simple and intuitive for administrators to manage fine-grained access control to blobs and directories for Azure Blob Storage SFTP local users.
Azure Blob Storage SFTP
Azure Blob storage supports the SSH File Transfer Protocol (SFTP) natively. SFTP on Azure Blob Storage lets you securely connect to and interact with the contents of your storage account by using an SFTP client, allowing you to use SFTP for file access, file transfer, and file management. Learn more here.
Azure Blob Storage SFTP is used by a significant number of our customers, who have shared overwhelmingly positive feedback. It eliminates the need for third-party or custom SFTP solutions involving cumbersome maintenance steps such as VM orchestration.
Local users
Azure Blob Storage SFTP utilizes a new form of identity management called local users. Local users must use either a password or a Secure Shell (SSH) private key credential for authentication. You can have a maximum of 25,000 local users for a storage account. Learn more about local users here.
Access Control for local users
There are two ways in which access control can be attained for local users.
1. Container permissions
By using container permissions, you can choose which containers you want to grant access to and what level of access you want to provide (Read, Write, List, Delete, Create, Modify Ownership, and Modify Permissions). Those permissions apply to all directories and subdirectories in the container. Learn more here.
2. ACLs for local users
What are ACLs?
ACLs (Access Control Lists) let you grant "fine-grained" access, such as write access to a specific directory or file, which isn’t possible with Container Permissions. More fine-grained access control has been a popular ask amongst our customers, and we are very excited to make this possible now with ACLs. A common ACL use case is to restrict a user's access to a specific directory without letting that user access other directories within the same container. This can be repeated for multiple users so that they each have granular access to their own directory. Without ACLs, this would require a container per local user. ACLs also make it easier for administrators to manage access for multiple local users with the help of groups. Learn more about ACLs for local users here.
How to set and modify the ACL of a file or a directory?
You can set and modify the permission level of the owning user, owning group, and all other users of an ACL by using an SFTP client. You can also change the owning user or owning group of a blob or directory. These operations require 'Modify Permissions' and 'Modify Ownership' container permissions, respectively.
Note: Owning users can now also modify the owning group and permissions of a blob or directory without container permissions. This is a new feature enhancement added during the General Availability phase of ACLs for local users. For any user that is not the owning user, container permissions are still required. Learn more here.
These enhancements significantly improve the management and usability of Azure Blob Storage SFTP by providing more granular access control over the container model and extending customer options. Please reach out to blobsftp@microsoft.com for feedback about SFTP for Azure Blob Storage. We look forward to your continued support as we strive to deliver the best possible solutions for your needs.
Microsoft
