Parameterize S3 default ACL when uploading objects.

api/config/settings/common.py

@@ -468,7 +468,19 @@ It's recommended to keep this on, as a way to enforce access control, however,
 if you're using S3 storage with :attr:`AWS_QUERYSTRING_AUTH`,
 it's safe to disable it.
 """
-AWS_DEFAULT_ACL = None
+AWS_DEFAULT_ACL = env("AWS_DEFAULT_ACL", default=None)
+"""
+The default ACL to use when uploading files to an S3-compatible object storage 
+bucket.  
+
+ACLs and bucket policies are distinct concepts, and some storage 
+providers (ie Linode, Scaleway) will always apply the most restrictive between 
+a bucket's ACL and policy, meaning a default private ACL will supercede
+a relaxed bucket policy.
+
+If present, the value should be a valid canned ACL.
+See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+"""
 AWS_QUERYSTRING_AUTH = env.bool("AWS_QUERYSTRING_AUTH", default=not PROXY_MEDIA)
 """
 Whether to include signatures in S3 urls, as a way to enforce access-control.

changes/changelog.d/1319.enhancement

@@ -0,0 +1 @@
+Parameterize the default S3 ACL when uploading objects. (#1319)

deploy/env.prod.sample

@@ -189,3 +189,11 @@ AWS_STORAGE_BUCKET_NAME=
 # valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days)
 
 # AWS_QUERYSTRING_EXPIRE=
+
+# If you are using an S3-compatible object storage provider, and need to provide a default
+# ACL for object uploads that is different from the default applied by boto3, you may
+# override it here. Example:
+#    AWS_DEFAULT_ACL=public-read
+# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+
+# AWS_DEFAULT_ACL=