diff --git a/init-minio.sh b/init-minio.sh
index 46deb57..27fe654 100755
--- a/init-minio.sh
+++ b/init-minio.sh
@@ -14,4 +14,7 @@ mc admin user add myminio "$MERCH_API_USER" "$MERCH_API_PASSWORD"
 
 mc admin policy attach myminio api-policy --user="$MERCH_API_USER"
 
+mc admin policy create myminio public-read /policies/public-read.json
+mc anonymous set download myminio/user-merch-images
+
 echo "MinIO init done."
diff --git a/policies/public-read.json b/policies/public-read.json
new file mode 100644
index 0000000..c63c4bf
--- /dev/null
+++ b/policies/public-read.json
@@ -0,0 +1,12 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {"AWS": ["*"]},
+      "Action": ["s3:GetObject"],
+      "Resource": ["arn:aws:s3:::user-merch-images/*"]
+    }
+  ]
+}
+