Parameterize S3 default ACL when uploading objects.

2022-05-07 06:54:04 +00:00 · 2022-05-07 06:54:04 +00:00 · 40db52a91e
commit 40db52a91e
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@ -468,7 +468,19 @@ It's recommended to keep this on, as a way to enforce access control, however,
 if you're using S3 storage with :attr:`AWS_QUERYSTRING_AUTH`,
 it's safe to disable it.
 """
-AWS_DEFAULT_ACL = None
+AWS_DEFAULT_ACL = env("AWS_DEFAULT_ACL", default=None)
+"""
+The default ACL to use when uploading files to an S3-compatible object storage 
+bucket.  
+
+ACLs and bucket policies are distinct concepts, and some storage 
+providers (ie Linode, Scaleway) will always apply the most restrictive between 
+a bucket's ACL and policy, meaning a default private ACL will supercede
+a relaxed bucket policy.
+
+If present, the value should be a valid canned ACL.
+See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+"""
 AWS_QUERYSTRING_AUTH = env.bool("AWS_QUERYSTRING_AUTH", default=not PROXY_MEDIA)
 """
 Whether to include signatures in S3 urls, as a way to enforce access-control.
--- a/changes/changelog.d/1319.enhancement
+++ b/changes/changelog.d/1319.enhancement
@ -0,0 +1 @@
+Parameterize the default S3 ACL when uploading objects. (#1319)
--- a/deploy/env.prod.sample
+++ b/deploy/env.prod.sample
@ -189,3 +189,11 @@ AWS_STORAGE_BUCKET_NAME=
 # valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days)

 # AWS_QUERYSTRING_EXPIRE=
+
+# If you are using an S3-compatible object storage provider, and need to provide a default
+# ACL for object uploads that is different from the default applied by boto3, you may
+# override it here. Example:
+#    AWS_DEFAULT_ACL=public-read
+# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+
+# AWS_DEFAULT_ACL=
				`@ -0,0 +1 @@`
				`Parameterize the default S3 ACL when uploading objects. (#1319)`