s3-credentials policy --public-bucket option, closes #44

README.md

@@ -171,6 +171,7 @@ You can use the `s3-credentials policy` command to generate the JSON policy docu
 
 - `--read-only` - generate a read-only policy
 - `--write-only` - generate a write-only policy
+- `--public-bucket` - generate a bucket policy for a public bucket
 
 With none of these options it defaults to a read-write policy.
 ```
@@ -546,6 +547,36 @@ cog.out(
 ```
 <!-- [[[end]]] -->
 
+### public bucket policy
+
+Buckets created using the `--public` option will have the following bucket policy attached to them:
+
+<!-- [[[cog
+result = runner.invoke(cli.cli, ["policy", "my-s3-bucket", "--public-bucket"])
+cog.out(
+    "```\n{}\n```".format(json.dumps(json.loads(result.output), indent=2))
+)
+]]] -->
+```
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAllGetObject",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-s3-bucket/*"
+      ]
+    }
+  ]
+}
+```
+<!-- [[[end]]] -->
+
 ## Development
 
 To contribute to this tool, first checkout the code. Then create a new virtual environment:

s3_credentials/cli.py

@@ -123,7 +123,21 @@ class DurationParam(click.ParamType):
 )
 @click.option("--read-only", help="Only allow reading from the bucket", is_flag=True)
 @click.option("--write-only", help="Only allow writing to the bucket", is_flag=True)
-def policy(buckets, read_only, write_only):
+@click.option(
+    "--public-bucket",
+    help="Bucket policy for allowing public access",
+    is_flag=True,
+)
+def policy(buckets, read_only, write_only, public_bucket):
+    if public_bucket:
+        if len(buckets) != 1:
+            raise click.ClickException(
+                "--public-bucket-policy can only be generated for a single bucket"
+            )
+        click.echo(
+            json.dumps(policies.bucket_policy_allow_all_get(buckets[0]), indent=4)
+        )
+        return
     permission = "read-write"
     if read_only:
         permission = "read-only"

s3_credentials/policies.py

@@ -56,3 +56,18 @@ def write_only_statements(bucket):
 
 def wrap_policy(statements):
     return {"Version": "2012-10-17", "Statement": statements}
+
+
+def bucket_policy_allow_all_get(bucket):
+    return {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowAllGetObject",
+                "Effect": "Allow",
+                "Principal": "*",
+                "Action": ["s3:GetObject"],
+                "Resource": ["arn:aws:s3:::{}/*".format(bucket)],
+            }
+        ],
+    }