Automating SFTP Start/Stop in an Azure Storage Account using GitHub Actions and Federated Authentication
Date published:
Welcome to this blog post, where we will explore how to automate the process of starting and stopping an SFTP server in an Azure Storage Account using GitHub Actions and Federated Authentication. This approach can help manage resources effectively and reduce costs by ensuring the SFTP server is only running when needed.
Create Azure Federated Authentication via GitHub Actions
Federated authentication is a method of linking a user’s identity and attributes stored across multiple distinct identity management systems. In this context, we will be using it to authenticate our Azure account. This adds an extra layer of security and makes it easier to manage access to the SFTP server.
Create a service principal for Azure Federated Authentication. On the CLI, run the following command: Replace the subscription ID with your own.
az ad sp create-for-rbac –name “AutomateSFTP” –role contributor –scopes /subscriptions/{subscription-id}
Once your service principal has been created, you will need to go to it and add the Federated credentials so they can be used by GitHub Actions. On the service principal, go to certificates and secrets, then go to federated credentials and add a new credential. Select “GitHub Action Deploying Azure Resources” and fill in the rest of the details, such as your GitHub organisation and repository. For this example, I have selected the entity as a branch, so it will look at the branch name to determine if it should run the workflow. Once you have filled in the details, click on “Add” to create the federated credentials.
Create a bash script to start or stop the SFTP server
The next step is to create a bash script that will start and stop the SFTP server. This script will be run by GitHub Actions when it detects a change in the branch name. The script will also check if the SFTP server is already running before starting it and if it has already been stopped before stopping it.
Create a new file called “enable-sftp.sh” in your repository and add the following contents: Please note that for this script to work, you will need to tag your storage account with autoShutdown = true value and have the SFTP option on your storage account.
If you do not have the SFTP option, you need to upgrade it to Data Lake Gen2. (Please bear in mind that you need to disable soft delete on your storage account before you can upgrade it to Data Lake Gen2).
enable_sftp_storage_account: https://github.com/NickAzureDevops/blog-example/blob/main/automate-sftp-storage-account/scripts/enable_sftp.sh
disable_sftp_storage_account: https://github.com/NickAzureDevops/blog-example/blob/main/automate-sftp-storage-account/scripts/disable_sftp.sh
When running the script, you will need to give it permission to execute the script. You can do this by running the following command:
chmod +x./disable_sftp.sh
Set up GitHub Actions
The final step is to set up GitHub Actions to run the script when it detects a change in the branch name. To do this, create a new file called “main.yml” in the “.github/workflows” folder and add the following contents that are similar to this example:
The workflow will run when a pull request is merged into the main branch. It will then check if the branch name runs the appropriate script and use the federated credentials to authenticate with Azure. If the script is successful, it will then commit the changes to the branch and push it back to GitHub. It is also set up as a cron job to run every day at 8 p.m. You can change this to suit your needs.
Conclusion
In this blog post, I have explored how to automate the process of starting and stopping an SFTP server in an Azure Storage Account using GitHub Actions and Federated Authentication. This approach can help manage resources effectively and reduce costs by ensuring the SFTP server is only running when needed."