Support S3 public-read ACL on deploy

[ajorg]

When migrating to Hugo from another static site generator I had to add a bucket policy to allow public reads on S3. The way I'd been doing it previously was to deploy using the AWS CLI aws s3 sync with the --acl public-read option. This sets the public-read ACL on the object, rather than configuring the bucket to be publicly readable, which is not best practice.

I can imagine reasons to not want to make adding the public-read ACL the default, but it could be a very useful deploy option to set a canned ACL for objects being uploaded, and it could be a recommended configuration.

When deploying to a prefix it's entirely possible the user doesn't want to make the whole bucket public, but only objects under that prefix. One can probably do this with a bucket policy also, but again it can be nicer if the object itself has the ACL set, so that deployments can ensure that only objects deployed by Hugo have that ACL.

Other canned ACLs could be supported as well, but public-read is the only one that strikes me as especially useful for a static site. Maybe authenticated-read could be handy for someone?

[satotake]

I agree with you, it is reasonable to configure ACL but it is an upstream issue (by design?)

I recommend that you combine hugo with aws s3 sync as temp workaround.

Like this

hugo #  built into `public` direcotry
aws s3 sync public/your-prefix s3://yourbucket/your-prefix --acl public-read # ...etc

Personally, I prefer s3deploy. it is more performant than awscli and you can configure acl

[bep]

Personally, I prefer s3deploy. it is more performant than awscli and you can configure acl

I think s3deploy only support setting public-read for all or nothing.

But yes, we should probably support something like this. Not sure how this works across the different cloud providers. @vangent may have some input.

[vangent]

Not sure how this works across the different cloud providers Not very well :-(. Notably, Azure only supports bucket-level ACLs IIRC.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Hugo team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

[ajorg]

I believe this is still relevant for some folks using S3.

[arieroos]

I also think this very relevant

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Hugo team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

[bep]

@vangent is this still not possible to do on a per-object in gocloud?

[vangent]

I don't think anything has changed since my last comment; per-object ACLs are not uniformly supported across the Cloud providers and so not supported by gocloud.