Eric's previous post shows how to set up Cloudberry to simulate a FTP site.

 

This post shows how to restrict the client to read only access of the files while restricting their view to their own bucket.

First I created a bucket at the root level called x-wandw-ort-quandis-com 

I then created an AIM account called WandWViewOnly as described in Eric's post.

Everything works fine, but the W&W users can see the two other root buckets ort-quandis-com and uat-ort-quandis-net and any other bucket at the root level.

To restrict their access to their own bucket I created the AIM policy WilliamsReadOnly listed below

{

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "s3:Get*",

      "Resource": "arn:aws:s3:::x-wandw-ort-quandis-com/*",

      "Condition": {}

    },

    {

      "Effect": "Allow",

      "Action": "s3:ListBucket",

      "Resource": "arn:aws:s3:::x-wandw-ort-quandis-com",

      "Condition": {}

    }

  ]

}

This works, but an extra step is needed in CloudBerry so that tha the W&W users can see the bucket.

After the W&W user connects via Cloudberry their list of buckets will emtpy, they need to create an external bucket.

This is done by clicking on the green cube and then specifying the bucket name, in my case x-wandw-ort-quandis-com 

Once they do this then can then drill into the x-wandw-ort-quandis-com bucket to see their files.

This type of configuration is explained in more detail here