Have a way to create read-only credentials for the storage service APIs

[alexwlchan]

Right now, I think it's the case that any client with API credentials for the storage service can do anything.

A lot of services/tools only need read-only access, e.g. for monitoring.

It would be good to be able to create credentials that are only read-only, and can't create/destroy ingests or anything.