This is an investigation, design, and planning ticket for the larger
The basic problem is that clients for LSST the Docs generally shouldn't have S3 credentials. They are both extra things for clients to track, and they can potentially give clients more access to S3 than they need. We want to move to a model with LTD Keeper is the only application with credentials to LTD's S3 bucket. The question then, is how LTD Keeper should provide access for clients to upload new builds into the S3 bucket. The main options are:
- LTD Keeper creates a temporary S3 credential for the client, and then ensures that the credential is deleted/rotated.
- LTD Keeper generates presigned URLs that the client can upload to.
- The client uploads files to LTD Keeper, and LTD Keeper forwards those objects to S3.