Simple read-only S3 endpoint
A user has a client tool that can talk to any S3 endpoint. They are pointing it at keep-web. For their workflow, they would prefer that this tool only read from Keep, and not be able to write. This is not meant to be a security control, but just a guardrail to prevent specific types of workflow mistakes. The people using this tool often created these collections or can write to them in Workbench, and that's fine.
The user suggested having keep-web provide a specific S3 API endpoint that is always read-only, even if the user has write permission in Arvados.
Another possibility might be some documented way to client tools to get API tokens that are scoped to be read-only and then use those for all future access. Need to discuss the approach we want to take.
Updated by Brett Smith 9 months ago
Peter Amstutz wrote in #note-2:
I think all you need is a token scoped to "GET /" will limit you to read-only access to the API.
Yeah we discussed this, but then it just sort of moves the question to, is there an easy way to get a token with this scope? i.e., one that doesn't involve writing your own API client.