Today, I found myself in need of an automated SFTP connection that would reach out to one of our partners, download a file, and then dump it in to a Data Lake for further processing. This meant that I would need to store a private in Azure Key Vault for use in a Logic App. While this was mainly a straightforward process, there was a small hiccup that we encountered and wanted to pass along.
First, we went ahead and generated a public/private key pair using:
ssh-keygen -t rsa -b 4096
where rsa
is the algorithm and 4096
is the length of the key in bits. We avoided the ec25519
and ecdsa
algorithms as our partner does not support elliptic-curve cryptography. As this command was run on a Mac laptop which already has it’s own ~/.ssh/id_rsa[.pub]
key pair, we chose a new filename and location /tmp/sftp
to temporarily store this new pair.
The problem arose when we tried to insert the private key data into Key Vault as a secret: the Azure portal does not support multi-line secret entry, resulting in a non-standard and ultimately broken key entry.
The solution was to use the Azure CLI to upload the contents of the private key by doing:
az keyvault secret set --vault-name sftp-keyvault -n private-key -f '/tmp/sftp'
This uploaded the file correctly to the secret titled private-key
, which means that we can now add a Key Vault action in our Logic App to pull the secret, without having to leave the key in plain view, and then use it as the data source for the private key field in SFTP - Copy File
action.
As an aside, we also created a new secret called public-key
and uploaded a copy of sftp.pub
just so that 6 months from now if we need to recall a copy of it to send to another partner, it’s there for us to grab.