Support one or more --key options to create credentials restricted to a specific key

[simonw]

The new --prefix option from #12 lets you set a wildcard prefix for key access - but it strikes me that it would also be useful to be able to limit access to one or more specific keys. For example, if you want to create a token that can be used to upload data to a pre-assigned UUID filename.

Related:

• Support multiple --prefix options #56

[simonw]

I need to test this, but I think that the policy for --read-only --key foo/bar.txt would be this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-s3-bucket/foo/bar.txt"
      ]
    }
  ]
}

Can filenames contain a *? If so, how would you specify the resource for such a file when "arn:aws:s3:::my-s3-bucket/foo/bar*.txt" is presumably treated as a wildcard?

[simonw]

Twitter conversation about the *.png edge-case: https://twitter.com/simonw/status/1483841770094227463

I confirmed there that the ARN for a file called *.png maintains the *:

Suggestion from https://twitter.com/smithsam/status/1483844461310451718

What happens if you use %2A to describe the * ?