Azure Storage Account sFTP configuration with "Use existing key stored in Azure Key Vault" the subsequent drop down is empty?

Question

Azure Storage Account sFTP configuration with "Use existing key stored in Azure Key Vault" the subsequent drop down is empty?

Administrator Deepak Shaw 0

While configuring SFTP on an Azure Storage Account, I selected the “Use existing key stored in Azure Key Vault” option to authenticate a local user. However, the dropdown list for selecting the key remains empty, despite having an SSH public key stored in the Key Vault.

I’ve verified that:

The SSH public key is stored as a secret in the correct Key Vault.

The key is in valid OpenSSH format (e.g., ssh-rsa ...).

I have checked the necessary RBAC permissions on the Key Vault (Key Vault Secrets User role).

Could you please advise on any additional settings or requirements needed to populate the key selection drop down?

Please refer to the attached screenshot for clarity:

Looking forward for your solution.

Thanks,

Deepak Shaw

Nandamuri Pranay Teja 1,850 Reputation points Microsoft External Staff

2025-04-10T06:32:18.7066667+00:00
Hello Deepak Shaw

I understand that you're you are experiencing difficulties with the SFTP configuration on your Azure Storage Account, despite having undertaken several significant troubleshooting measures.

Please be informed that the Azure Storage Account requires specific permissions to access the Key Vault. While the "Key Vault Secrets User" role assigned to your user account is significant, it is the managed identity of the Storage Account that is utilized during the SFTP configuration process.

Navigate to your Azure Key Vault.

Go to "Access policies."

Click "Add Access Policy."

Under "Secret permissions," ensure that the service principal or managed identity used by the Azure Storage Account has the "Get" permission.

For testing, if you are unsure which identity is used, you can add your user account with the get permission. But it is recommended to use managed identities.

If your Key Vault is subject to network restrictions, such as firewall or virtual network rules, access to it may be denied for the Storage Account Go to "Networking" under "Security + networking. "Ensure that either "Allow public access from all networks" is selected or that your Storage Account's network is allowed. If you are using private endpoints, make sure that the storage account can resolve the key vault's private endpoint. If using private endpoints, ensure the private DNS zone is configured correctly.

Although the OpenSSH format for the secret value is accurate, the content type of the Key Vault secret may be leading to complications. Review the secret stored in the Key Vault and check its content type. If it is either missing or incorrect, make the necessary updates. You can modify the content type through the portal.

While it is not an absolute necessity, it is typically advisable for both the Storage Account and Key Vault to reside in the same Azure region verify that both resources are in the same region.

Coming to RBAC & Key vault changes.

The Changes to RBAC permissions or Key Vault settings might take a few minutes to propagate. Wait for a few minutes and try refreshing the SFTP configuration page.

Note- Ensure that the managed identity for the Storage Account is activated and possesses the "Get" secret permission for the Key Vault. Ensure there are no network restrictions preventing the Storage Account from accessing the Key Vault. Post which checks both resources are in the same region and Refresh the SFTP configuration page after making any changes.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Nandamuri Pranay Teja 1,850 Reputation points Microsoft External Staff

2025-04-11T04:30:21.25+00:00

Hello Deepak Shaw

I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click "Up-Vote" for it, which could help other community members who read this thread. And, if you have any more questions, please let us know.

1 answer

Your answer

Nandamuri Pranay Teja 1,850 Reputation points Microsoft External Staff

2025-04-11T04:30:21.25+00:00

Hello Deepak Shaw

I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click "Up-Vote" for it, which could help other community members who read this thread. And, if you have any more questions, please let us know.

Answer 1

Venkatesan S 1,550 Microsoft External Staff

Hi @Administrator Deepak Shaw

Could you please advise on any additional settings or requirements needed to populate the key selection dropdown?

According to this MS-Document,

No, you can't authenticate with Azure Key Vault when creating an Azure SFTP local user.

First create SSH key from Azure portal through this MS-Document.

Once you've created the SSH key through the Azure portal, you will now be able to see the key under Use existing key stored in Azure.

Portal: enter image description here

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and "Yes" for was this answer helpful. this can be beneficial to other community members.

Venkatesan S 1,550 Reputation points Microsoft External Staff

2025-04-15T03:35:10.0866667+00:00

Administrator Deepak Shaw
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Deepak Kumar Shaw 1 Reputation point

2025-04-15T23:20:42.76+00:00

Thanks, your solution worked for me.
Venkatesan S 1,550 Reputation points Microsoft External Staff

2025-04-16T03:47:22.33+00:00

Deepak Kumar Shaw
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Azure Storage Account sFTP configuration with "Use existing key stored in Azure Key Vault" the subsequent drop down is empty?

1 answer

Your answer