Microsoft Power Automate (Flow): SFTP Connector Tips

Title image of Flow, PowerAutomate and SFTP (SFTP-SSH) connector logos

All product names, logos, and brands used in this post are property of their respective owners.

As of late 2019, the original Flow SFTP connector is deprecated in favor of the new Power Automate SFTP - SSH connector. There are configuration and functional differences between the old and new connectors. This post was revised in late 2019 to reflect and capture the changes.

The SFTP - SSH connector in Microsoft Power Automate (Flow) has quickly become my personal favorite. It is quite robust - I am most pleased with its support of SSH key-based authentication and SSH/SFTP ports besides 22 (the default). In light of this, I wanted to share some of my findings in hopes they will be of value to someone else.

Quick tips

Read on for more detailed information about these tips - they apply to the SFTP - SSH connector:

  • Ensure you are using the correct credentials
  • Ensure PowerAutomate can resolve your SFTP server’s hostname using DNS
  • Allow MS Power Automate’s (Flow’s) source IP addresses (Connectors section) through your firewall
  • Ensure your private key is PEM (OpenSSH) formatted (and NOT PuTTY Private Key File / .ppk formatted)
  • If using SSH host key fingerprint validation, ensure the finger print is formatted properly (MD5)

Error messages and meanings

The “SFTP - SSH” connector (in my experience) does not provide incredibly meaningful error messages in the user interface (although this is improving over time). It generally throws a single error message when creating new SFTP connections if something is amiss.

The general SFTP connector error:

Test connection failed. Details: BadGateway

Thanks to an incredible tip from ScottB, I recently learned that additional details about the generic “Test connection failed. Details: BadGateway” error are available in the asynchronous HTTP conversation between the PowerAutomate web front end (UI) and backend.

To view the more detailed error messages, you can do the following:

  1. Download and install the free Fiddler Web Debugging Proxy by Telerik (one of my favorite tools)

  2. Close all browsers and other applications, then run Fiddler

  3. Under the Tools menu, select Options and the HTTPS tab

  4. Configure the “Decrypt HTTPS traffic” option as follows (accepting the prompts to install the Fiddler certificate)

Screenshot of required Fiddler HTTPS decryption settings - “Decrypt HTTPS traffic”

  1. Browse to your flow in PowerAutomate and add/update your SFTP - SSH connector, reproducing the “BadGateway” message

  2. Review the HTTP trace in Fiddler and look for failures (usually HTTP 400, 502, or 504 errors) - select the failed request, then click Inspectors and JSON in the response section - this will reveal a more detailed error message

Screenshot of Fiddler trace containing failed PowerAutomate SFTP request and detailed error message under Inspectors -> JSON

In this post, I’ve detailed some of the possible causes of the generic message and the more specific error messages that can be captured with a Fiddler trace. I have also added an appendix to the end of this post with the legacy Flow “SFTP” connector error messages and causes.

Credential issues

Symptoms of Flow being unable to access your SFTP server due to a bad username or password include the following error message in an HTTP trace:

message=Permission denied (password).

If you encounter this message, ensure your credentials are correct.

DNS (name resolution) issues

Symptoms of Flow being unable to access your SFTP server due to a failed hostname lookup (DNS) include the following error message in an HTTP trace:

message=No such host is known

If you encounter this message, ensure your SFTP server hostname is correct and has fully propagated in public DNS (or use an IP address instead).

Firewall issues (allow IPs and IP ranges)

If you allow open access to your server via port 22, this may not concern you. However, if you restrict SSH or SFTP access via software (i.e. iptables) or hardware firewall, read on.

Symptoms of Flow being unable to access your server due to a firewall issue include the following error message in an HTTP trace:

message=A connection attempt failed because the
connected party did not properly respond after a period
of time, or established connection failed because
connected host has failed to respond

MS Power Automate’s (Flow’s) source IP addresses are documented in a post entitled Limits and configuration in Power Automate. Review the addresses and IP ranges under Connectors and ensure your firewall rules are up to date.

The source addresses change over time. Ideally, there would be a way to obtain these IP ranges programmatically (via web service - like this for O365). As of December 2019, that is not the case. My only advice is to use a service like ChangeTower to monitor for changes to the Limits and configuration in Power Automate page and manually update your firewall when Microsoft updates the IP list. Or, submit a User Voice idea and recommend that PowerAutomate/Flow be added to the Office 365 IP Address and URL web service.

SSH Key Authentication

If you are familiar with SSH key authentication, configuring this in MS Power Automate (Flow) is relatively easy. The only caveat I discovered is that the private key you paste into the Power Automate interface must be PEM formatted (OpenSSH). This is a contrast to the deprecated “SFTP” connector which required a PuTTY Private Key File (.ppk) formatted key.

Consider the following if you receive this detailed error in an HTTP trace:

message=Permission denied (publickey).

Ensure your key is in fact PEM/OpenSSH formatted and paste that into the SSH private key field in your flow. Even though the SSH private key field appears to be a single line of text, it will accept the entire PEM formatted private key:

MS Power Automate (Flow) SSH private key field on SFTP connection, with example key pasted

The following are truncated (…) examples of OpenSSH formatted (PEM) SSH-2 private key which WILL work in Microsoft Power Automate (Flow) with the “SFTP - SSH” connector:

DSA private key, no passphrase

-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDc9i6f4x4Xw8/ZOb0AUqRd/Wb8PKrjvywHyPtP445a4RIxcU7a
.
.
.
-----END DSA PRIVATE KEY-----

DSA private key, with passphrase

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4FE4ED2732CEBC1E7674936B31D1097B

RlTNQXX/PTngIMyyXOgD3WZ38lFxgi+cVBO9eclYZsHuc28dMTae4xkza2FkPst8
.
.
.
-----END DSA PRIVATE KEY-----

RSA private key, no passphrase

-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA0hmlr0tjRj3XG6O1nhrUecyor7c0hImWgeCaFqkXoCKX4jDd
.
.
.
-----END RSA PRIVATE KEY-----

RSA private key, with passphrase

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,00F5C6BA7EF2F0B51399EBB39C9E3A8C

QJMIm4Lfm3xeBwY6bMPt2UVnLyDdHeBvmpn7gLplowK4m/0q5oOKXd3IVg6skInB
.
.
.
-----END RSA PRIVATE KEY-----

ECDSA private key, no passphrase

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIAWQPfv0gTZAgNCd7vWM9Fxp/ameRjFGEgbGf/urIvQCoAoGCCqGSM49
.
.
.
-----END EC PRIVATE KEY-----

ECDSA private key, with passphrase

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,9BBF5A4BBD0D30FB8625CB3D7F4F7E25

V65imHuCjBKf6s2wSvqTMefSZgNRMzSDI+3/mHVJmM1aSYjIDpo3MLCW2D4DjZak
.
.
.
-----END EC PRIVATE KEY-----

The following is an (example) PuTTY formatted private key which WILL NOT work in Power Automate (Flow) with the “SFTP - SSH” connector:

PuTTY (PPK) private key

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
AAAAB3NzaC1yc2EAAAABIwAAAQEApnzCa10mgFV8F6Fe+i7FItcer/OcY/pXUia8
.
.
.
Private-Lines: 14
AAABAQCAbt8fn6Fbr6jfB3UnZeiIl1Iv9nFUcKnDB/DPT7SR7x32EHOZyhsELWtL
.
.
.
Private-MAC: 9030568136067ba5f327ba6652452f217f19770d

If you are using a pass-phrase with your SSH key, the following message indicates a pass phrase specific issue:

message=Invalid data type, INTEGER(02) is expected, but was 9D

Resume Capability and its Functionality

This is leftover from the deprecated Flow “SFTP” connector (which was based on WinSCP). The new “SFTP - SSH” connector in Power Automate no longer relies on WinSCP and as such, no longer offers “resume capability.”

SSH Host Key Finger-print Validation

If you leave SSH host key finger-print validation enabled (recommended), ensure you provide the SSH Host Key Finger-print in the correct MD5 format. An incorrectly formatted host key fingerprint will generate this error when creating a connection:

Test connection failed.
Details: The provided SSH host key finger-print format
is not supported. It must be in 'MD5' format.

There are a plethora of ways to obtain your server’s host key fingerprint. Since I use WinSCP for other tasks, that is my method of choice. Connect to your server using WinSCP, then open the Session menu and select the Server/Protocol Information item.

Copy/paste the value displayed:

WinSCP session information, including SSH host key fingerprint

For the ssh-rsa algorithm:

CORRECT (example):

52:cc:ce:7d:91:80:52:61:d6:23:a8:2a:35:55:ab:bd

INCORRECT (example):

ssh-rsa 2048 52:cc:ce:7d:91:80:52:61:d6:23:a8:2a:35:55:ab:bd

If the finger-print you supply is simply incorrect (does not match the destination host’s fingerprint), the following error is thrown by the Power Automate (Flow) “SFTP - SSH” connector:

Test connection failed.
Details: Key exchange negotiation failed.

The detailed error message (from a Fiddler trace) is as follows:

message=Key exchange negotiation failed.

Appendix: legacy “SFTP” connector error messages and causes

The deprecated “SFTP” connector threw a variety of error messages, depending on the situation. Those are captured below for history’s sake. Note that these error messages DO NOT apply to the “SFTP - SSH” connector in Power Automate.

Flow/Power Automate unable to access your SFTP server due to a firewall issue:

Please check your account info and/or permissions and try again.
Details: Unable to connect to the remote server '...'.
Unable to connect to the remote server '...'. clientRequestId:...

Flow/Power Automate unable to access your SFTP server due to an SSH key or format issue:

Please check your account info and/or permissions and try again.
Details: Invalid SSH private key provided.
Invalid SSH private key provided. clientRequestId ...

Flow/Power Automate unable to access your SFTP server due to a host key fingerprint issue:

Please check your account info and/or permissions and try again.
Details: SSH host key fingerprint
'...' doesn't match the original one '...'.