Similar to T280773, we'd like to add an account for readonly access to the ML models stored on Thanos Swift (and in the future, the MOSS cluster). The existing account/user (mlserve:prod) would continue to be used to upload models to the storage bucket.
Naming is a bit tricky (also because I don't know conventions used here all that well. One option would be mlserve:readonly, and we'd clean up the mlserve:prod name into something more useful/accurate later.
On the puppet side, changes 682097 and 682125 plus one for the actually-private repo would follow once we have hashed out the name. One question here is what values access can have to make an account have read-only access.