s3cmd doesn't currently support uploading files without having immediate access to the secret key. In situations where you'd like to run s3cmd on a machine that can't have access to a secret key (for example, Travis CI), this becomes a problem:
The above example also demonstrates a solution -- the use of POST with a base64 encoded policy, and a signature generated from the access key and the policy. The Amazon spec for this is here:
You still need to generate the policy and the signature, but it's safe to ship those off elsewhere and uploads can continue to be done with them (within the limits set forth by the policy, of course).
I put together a very preliminary, hack-ish implementation of this:
This will upload without any secret key, but you still need to pre-generate your base64 encoded policy and signature. Also, many awesome aspects of s3cmd (retries, additional headers) break down. And the arg hook into s3 itself (policypost) is pretty ad-hoc.
This issue is primarily to gauge interest -- it would be considerably more difficult to generate a clean, ready-to-integrate implementation of this feature for s3cmd, but might be worth the extra effort.