SFTP to Google Cloud Storage: Auto-Upload to GCS

To send SFTP uploads to Google Cloud Storage automatically, point any SFTP, FTPS or FTP client at FTPasHTTPS and configure a GCS forward target. Every file a client uploads streams straight into your bucket as the object is written — the bytes never touch disk and you run no SFTP server, cron job or Cloud Function. Google's object write either succeeds, giving the client 226 Transfer complete, or fails and the client is told to retry.

The usual way to land partner files in a GCS bucket is to run an SFTP server, write each incoming file to a local volume, then poll that directory with a cron job or a Cloud Function that copies the file into the bucket and deletes the original. That is three things to patch, monitor and secure — plus a window where partner data sits unencrypted on a disk. FTPasHTTPS folds the whole pipeline into one streaming hop: the SFTP upload becomes the GCS object write directly, with nothing staged in between.

How SFTP-to-GCS forwarding works

A client connects over SFTP (SSH key auth), FTPS or FTP and runs a STOR (upload) command.
FTPasHTTPS opens a streaming object write to your Google Cloud Storage bucket and pipes the incoming bytes straight into it.
The object name is templated from the filename, username and timestamp, so every upload lands at a predictable, partitioned path.
When GCS finalizes the object, the client receives 226 Transfer complete. A storage error maps to 451 Action aborted so the client knows to retry.
Every transfer is written to the audit log; failures retry with exponential backoff and fall back to a dead-letter queue.

Configuration + example

A GCS forward target on a server is a small JSON config. You supply the bucket, its location, an object-name template, and a credential — either a scoped service account JSON key or a Cloud Storage HMAC key:

# GCS forward target for an SFTP server
{
  "protocol": "sftp",
  "auth": { "type": "ssh-key" },
  "forward": {
    "type": "gcs",
    "bucket": "acme-partner-dropbox",
    "location": "europe-west1",
    "objectNameTemplate": "inbound/{username}/{date}/{filename}",
    "credentials": {
      "type": "service-account",
      "key": "${GCP_SERVICE_ACCOUNT_JSON}"
    },
    "storageClass": "NEARLINE"
  }
}

A vendor then uploads exactly as they always have — nothing changes on their side:

# Vendor uploads over SFTP; the object lands in GCS
sftp -i partner_key [email protected]
sftp> put orders-2026-06-20.csv
Uploading orders-2026-06-20.csv  100%   42KB
226 Transfer complete

# Object now exists at:
# gs://acme-partner-dropbox/inbound/vendor/2026-06-20/orders-2026-06-20.csv

Forward + notify in one flow. Add a webhook alongside the GCS target and the same upload is POSTed (HMAC-SHA256 signed) to your app while the object lands in the bucket — so your pipeline kicks off the instant the object is finalized, with no Pub/Sub or Eventarc wiring required if you would rather not depend on it.

FTPasHTTPS vs. the DIY SFTP + cron pipeline

Concern	DIY SFTP server + cron + script	FTPasHTTPS → GCS
Files on disk	Written to a volume, then deleted	Never touch disk — streamed
Moving parts	SFTP daemon + cron/Cloud Function + copy script	One streaming forward
Latency to GCS	Up to the cron interval (minutes)	Streams during the upload
Retries on storage error	Hand-rolled, often missing	Exponential backoff + dead-letter queue
Audit trail	Scattered across Cloud Logging	Full audit log per transfer
Patching & uptime	You own the OS and daemon	Managed for you
Protocols	Usually SFTP only	FTP, FTPS and SFTP

When to use it (and the limits)

Reach for FTPasHTTPS-to-GCS when partners insist on SFTP or FTP but your stack lives in Google Cloud Storage, when you want objects in a bucket the moment they arrive, or when you would rather not own an internet-facing SFTP daemon on Compute Engine. GCS forwarding (and the inline transformation features) is available from the Professional plan up (€49/server/month: 10,000 transfers, 50GB); the Free tier is FTP-only and ideal for proving the flow before you wire in production credentials.

A few limits to keep in mind: forwarding is per-file at upload time, so this is not a tool for batch re-syncing an existing bucket. Object names are derived from the upload template, not arbitrary client paths. And throughput is bounded by your plan's monthly transfer and size caps — 10,000 transfers / 50GB on Professional, 50,000 / 250GB on Enterprise.

Object names, prefixes and downstream triggers

Because the object name is templated, you decide exactly how uploads are organised in the bucket. A template like inbound/{username}/{date}/{filename} partitions every partner into their own prefix and every day into its own folder, which keeps Object Lifecycle Management rules, IAM bindings and downstream consumers simple. Scope the service account (or HMAC key) to write only that prefix, and a leaked credential can do nothing but write where it was already allowed to write.

Once the object is finalized, the rest of your pipeline behaves exactly as it would for any other GCS write — a Cloud Function, an Eventarc trigger or a Pub/Sub notification on object finalize can all fire off the new object. If you would rather not depend on GCS event notifications at all, attach a webhook to the same forward so your application is notified directly the instant the upload completes, with the object name and partner identity included. Either way, the audit log gives you a single place to answer the only question that matters during an incident: did the file arrive, and when?

Frequently asked questions

How do I automatically upload SFTP files to Google Cloud Storage?

Point your SFTP client at FTPasHTTPS and configure a GCS forward target with your bucket, location and a service account or HMAC credential. Every file uploaded via SFTP STOR is streamed straight into the GCS object as it arrives. No server, cron job or Cloud Function is required.

Does FTPasHTTPS store my files before sending them to GCS?

No. Uploaded bytes stream through FTPasHTTPS into the GCS object write without being written to disk. There is no intermediate file storage to manage, secure or pay for.

Can I forward to GCS and a webhook at the same time?

Yes. A single upload can be forwarded to your GCS bucket and POSTed to an HMAC-signed webhook in the same flow, so your application is notified the moment the object is finalized.

Does it work with plain FTP and FTPS too, not just SFTP?

Yes. FTPasHTTPS speaks FTP (RFC 959), FTPS (RFC 4217, TLS 1.2/1.3) and SFTP (SSH key auth), in active and passive modes over IPv4 and IPv6. The same GCS forwarding works for all three protocols.

What happens if Google Cloud Storage is unavailable during an upload?

Failed forwards are retried automatically with exponential backoff and, if they still fail, land in a dead-letter queue. The client receives a 451 Action aborted code, and every attempt is recorded in the audit log.

Stream your first upload to GCS

Spin up a server, paste a GCS target, point a client at it. Objects in your bucket in minutes — no disk, no cron.

Start free — no credit card