Simple read-only S3 endpoint
A user has a client tool that can talk to any S3 endpoint. They are pointing it at keep-web. For their workflow, they would prefer that this tool only read from Keep, and not be able to write. This is not meant to be a security control, but just a guardrail to prevent specific types of workflow mistakes. The people using this tool often created these collections or can write to them in Workbench, and that's fine.
The user suggested having keep-web provide a specific S3 API endpoint that is always read-only, even if the user has write permission in Arvados.
Another possibility might be some documented way to client tools to get API tokens that are scoped to be read-only and then use those for all future access. Need to discuss the approach we want to take.