diff --git a/scripts/makeBucketsReadOnly.sh b/scripts/makeBucketsReadOnly.sh
index 8423ff08f43f7d53a08d10f0dbd8deccfe22538d..2f34f9f2fe976f7f05b69d63d1d2ac69a1f704b2 100644
--- a/scripts/makeBucketsReadOnly.sh
+++ b/scripts/makeBucketsReadOnly.sh
@@ -33,7 +33,48 @@ do
   export MC_HOST_ceph=https://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@s3.standard.indie.host
   BUCKET=`echo $BUCKET_SECRET | rev | cut -d"-" -f2- | rev` # removes -s3 at the end of the secret name
   echo mc ls ${NS}/${BUCKET}
-
+  
+  if echo $BUCKET | grep pad; then
+  cat  << EOF > /tmp/readonly.json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+    "Sid":"Readonly user for offsite backups.",
+    "Effect": "Allow",
+    "Principal": {"AWS": ["arn:aws:iam:::user/read-only"]},
+    "Action": [
+       "s3:ListBucket",
+       "s3:ListAllMyBuckets",
+       "s3:GetObject"
+     ],
+    "Resource": [
+      "arn:aws:s3:::$BUCKET",
+      "arn:aws:s3:::$BUCKET/*"
+    ]
+  }, {
+    "Sid":"PublicRead",
+    "Effect":"Allow",
+    "Principal": "*",
+    "Action":["s3:GetObject","s3:GetObjectVersion"],
+    "Resource":["arn:aws:s3:::$BUCKET/uploads/*"]
+  },{
+   "Sid":"PrivateReadOnlyBackup",
+   "Effect": "Allow",
+   "Principal": {"AWS": ["arn:aws:iam:::user/${NS}"]},
+   "Action": [
+      "s3:ListBucket",
+      "s3:ListAllMyBuckets",
+      "s3:GetObject"
+    ],
+   "Resource": [
+     "arn:aws:s3:::$BUCKET",
+     "arn:aws:s3:::$BUCKET/*"
+   ]
+ }]
+}
+EOF
+  else
 cat  << EOF > /tmp/readonly.json
 {
  "Version": "2012-10-17",
@@ -52,6 +93,7 @@ cat  << EOF > /tmp/readonly.json
  }]
 }
 EOF
+  fi
 
   mc policy set-json /tmp/readonly.json ceph/$BUCKET || true
 done