Our /sftp/import Robot

Import files from SFTP servers

🤖/sftp/import imports whole libraries of files from your SFTP servers into Transloadit. This Robot relies on public key authentication.

Note: Transloadit supports file sizes up to 200 GB. If you require a higher limit for your application, please get in touch.

Usage example

Import files from the path/to/files directory and its subdirectories:

{
  "steps": {
    "imported": {
      "robot": "/sftp/import",
      "credentials": "YOUR_SFTP_CREDENTIALS",
      "path": "path/to/files/"
    }
  }
}

Parameters

  • ignore_errors

    Array of Strings / Boolean ⋅ default: []

    Possible array members are "meta" and "import".

    You might see an error when trying to extract metadata from your imported files. This happens, for example, for files with a size of zero bytes. Including "meta" in the array will cause the Robot to not stop the import (and the entire Assembly) when that happens.

    Including "import" in the array will ensure the Robot does not cease to function on any import errors either.

    To keep backwards compatibility, setting this parameter to true will set it to ["meta", "import"] internally.

  • credentials

    Stringrequired

    Please create your associated Template Credentials in your Transloadit account and use the name of your Template Credentials as this parameter's value. They will contain the values for your SFTP host, user and optional custom public key.

    While we recommend to use Template Credentials at all times, some use cases demand dynamic credentials for which using Template Credentials is too unwieldy because of their static nature. If you have this requirement, feel free to use the following parameters instead: "host", "port", "user", "public_key" (optional).

  • path

    Stringrequired

    The path on your SFTP server where to search for files.

  • port

    Integer ⋅ default: 22

    The port to use for the connection.

Things to keep in mind

  • Your server might be unresponsive from time to time. Since (S)FTP servers are harder to scale, we see this happen a lot. As a result, if this Robot fails to store one of your files, it will retry to store the file 5 times over 15 minutes.
  • This also means that when you provided the wrong credentials (when testing for example) Assemblies can take up to 15 minutes to complete.
  • If an Assembly has an export Step and takes long to execute, it is almost always due to the export Step having wrong credentials or the server being unreachable.

This robot uses SSH keys, which offer more security at the trade-off of a moderate degree of complexity in setting up. If you prefer a less secure, but easier-to-setup solution, then please have a look at 🤖/ftp/store and 🤖/ftp/import.

Installation on your server

The method explained here is slightly more elaborate than handing out an SSH account with an authorized public key, but is more secure as the user will not be able to traverse outside their home directory. This way, even if the user account is compromised at some point, the accessible data would be recently uploaded files.

The following explains how to create a dedicated user and group for Transloadit, and restrict access as shown in this article.

First, let's create a dedicated group and user:

# Change these variables to suit your needs.
# For additional security, use a randomly picked username.
TL_USER="random873"
TL_PUBLIC_PATH="uploads"

groupadd sftponly
useradd -g sftponly -m ${TL_USER}

# This line sets a random 20-character password for the user.
# We work with keys, but this is required because some operating systems will
# consider the account locked without one.
echo "${TL_USER}:$(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c20)" |chpasswd

mkdir -p /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}

echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA57GdwNLqsWz03X8MBEe4KoMSY2HOURjnUUe9zeTivASI+BLEe3cZcuJjsEBaRpISvCH04hosWUI0H4BQeB1dZZUUW1s4ttnVohCD9CfNiXJ7pwJAvgWb01dTW4YUWFKUTpTeUwQzgcNVLDtSVaQOYh4lAKvCZEcz17X9iZ7AeSEuQKe+QsrcwQoBdSpQ6FnzKwSZsggK81dPiGIW9Cw2z/EZWJpl9QBTYhw25NbNRtZj3fXVbrejnQQ985eZ6TlrvQFpUVwyk0QNHDsN+7zVISM3eXNpxof+vJyQNDLN9tb8vNPf/HXuw7MDJWMphrQevF5V26aMzszl3ZeO1779Mw== sftp@transloadit.com" >> /home/${TL_USER}/.ssh/authorized_keys

chown -R ${TL_USER}.sftponly /home/${TL_USER}
chown root.root /home/${TL_USER}

chmod -R 600 /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}
chmod -R u+X /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}

Make sure to change ${TL_USER} and ${TL_PUBLIC_PATH} to suit your needs. Remember to use a random username for additional security.

Please also give the subfolder where you intend to store your files sufficient permissions for your user to be able create sub-directories via mkdir. A combination of chown and chmod should achieve this.

Next, we will set up SSH to cage SFTP users in their home directory, and deny them regular shell access.

Enter ${EDITOR} /etc/ssh/sshd_config, and then find and comment out this line:

# Subsystem sftp /usr/lib/openssh/sftp-server

At the bottom of the same file, add the following:

Subsystem sftp internal-sftp

Match group sftponly
    ChrootDirectory /home/%u
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Finally, enter /etc/init.d/ssh restart to reflect the changes made.

Related blog posts