recipe-specs: move to cloudgate based service-user

Also see binary-builder change (github.com/cloudfoundry/binary-builder/pull/76). The pipeline is currently red. This change doesn't attempt to fix that. There's an open issue for that: #273. The following is the permissions-policy added for the role: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListBucketMultipartUploads", "s3:GetBucketTagging", "s3:GetObjectVersionTagging", "s3:ListBucketVersions", "s3:GetObjectAttributes", "s3:ListBucket", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:PutObjectVersionAcl", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:PutBucketAcl", "s3:GetBucketLocation", "s3:PutBucketVersioning", "s3:PutObjectAcl", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::buildpacks-oracle-client-libs", "arn:aws:s3:::buildpacks-oracle-client-libs/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }
cloudfoundry · Oct 4, 2023 · 908395a · 908395a
1 parent f02c311
commit 908395a
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/pipelines/recipe-specs/recipe-specs.yml b/pipelines/recipe-specs/recipe-specs.yml
@@ -84,8 +84,9 @@ jobs:
               SPEC_TO_RUN: #@ spec_name
               RUBYGEM_MIRROR: https://rubygems.org
               RUN_ORACLE_PHP_TESTS: true
-              AWS_ACCESS_KEY_ID: ((oracle-client-library-s3-download-access-key))
-              AWS_SECRET_ACCESS_KEY: ((oracle-client-library-s3-download-secret-key))
+              AWS_ACCESS_KEY_ID: ((svc-buildpacks-aws-ocldr-access-key))
+              AWS_SECRET_ACCESS_KEY: ((svc-buildpacks-aws-ocldr-secret-key))
+              AWS_ASSUME_ROLE_ARN: ((svc-buildpacks-aws-ocldr-assume-role-arn))
               AWS_DEFAULT_REGION: us-east-1
               ORACLE_LIBS_AWS_BUCKET: buildpacks-oracle-client-libs
               ORACLE_LIBS_FILENAME: oracle_client_libs.tgz

diff --git a/tasks/run-binary-builder-integration-specs/task.yml b/tasks/run-binary-builder-integration-specs/task.yml
@@ -14,6 +14,7 @@ params:
   RUBYGEM_MIRROR:
   AWS_DEFAULT_REGION:
   AWS_ACCESS_KEY_ID:
+  AWS_ASSUME_ROLE_ARN:
   AWS_SECRET_ACCESS_KEY:
   ORACLE_LIBS_AWS_BUCKET:
   ORACLE_LIBS_FILENAME: