Can I create an SFTP account for one of my team that only allows access to one folder, not to the whole site?
A common requirement is to provide some sort of upload or download folder within your site, that an external tool or service may want to read or write to. This may be automated uploads of product catalogs or CSVs, or automated downloads of exported reports or backups. Generally it’s a good idea to provide these automated tools with the minimum necessary privileges for their task, so a dedicated account just for the robot, with limited access, is a good way to do this.
Platform.sh does not allow unencrypted FTP access, you have to use SFTP.
On Platform Grid (Standard) you only get one login to your environment. Even when you have multiple developers with access, they all connect as the same user there. That account has visibility of your whole project, and write-access to all your writable file mounts. It’s not possible to add additional users with limited access within that. You cannot “
chroot” an account.
You can however add additional ‘user’ accounts to your project, and even manage access for them on a per-branch level. So adding a new ‘user’ account to your project, granting it access to a specific branch, and uploading its public ssh key will achieve most of what you need. You just need to provide it with the full directory path for its target. This account will have ssh access to upload and download files on Platform.sh as needed.
The SFTP credentials are the ones shown as “SSH” info on your project-branch console page, or can be retrieved with the
platform ssh --pipe command.
You must use ssh key authentication. Password only authentication is prohibited.
Remember, your deployed environment is read-only, so the risk of allowing a daemon account access to your uploaded files is limited to those mounts that you have already designated as writeable anyway.
For Platform Dedicated hosting, more flexibility is possible. If needed, please raise a ticket with Platform.sh Support with your requirements.