Full source code can be found at https://github.com/mgjam/blog/tree/master/2.
User & Access Key
Created user has no password set up, thus can't log in into AWS management console.
S3 Bucket
Bucket ACL is set to PUBLIC_READ meaning bucket is available for public read, while write operations are denied from the public.
Bucket CORS rules are set to allow cross-origin GET requests. This allows XHR requests from any domain to reach the bucket.
Lastly, we grant write access to our created user.
Outputs
A simple way of accessing a user's access key Id and the secret is to created AWS CloudFormation outputs for it.
To improve security, an alternative may be storing secrets in AWS Secrets Manager or Parameter store.
Uploading Document Via AWS CLI
Following command copies the local file into specified S3 bucket
Notice the --acl public-read part. This is essential otherwise your uploaded file will be not accessible from public
Closing Notes
This guide is very narrow-oriented and it is possible to modify many attributes along the way.
The goal was to serve as help when setting up a public read S3 bucket with a write user access key.
Additional documentation can be found at
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.User.html
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html