From ba6445305540b2e7459a415e07e57123606690e3 Mon Sep 17 00:00:00 2001
From: Arjun Sreedharan <asreedharan@vmware.com>
Date: Wed, 4 Oct 2023 20:21:44 +0000
Subject: [PATCH] recipe-specs: move to cloudgate based service-user

Also see binary-builder change (github.com/cloudfoundry/binary-builder/pull/76).
The pipeline is currently red. This change doesn't attempt to fix that.
There's an open issue for that: #273.

The following is the permissions-policy added for the role:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucketMultipartUploads",
				"s3:GetBucketTagging",
				"s3:GetObjectVersionTagging",
				"s3:ListBucketVersions",
				"s3:GetObjectAttributes",
				"s3:ListBucket",
				"s3:GetBucketVersioning",
				"s3:GetBucketAcl",
				"s3:ListMultipartUploadParts",
				"s3:PutObject",
				"s3:GetObjectAcl",
				"s3:GetObject",
				"s3:PutObjectVersionAcl",
				"s3:GetObjectVersionAcl",
				"s3:GetObjectTagging",
				"s3:PutBucketAcl",
				"s3:GetBucketLocation",
				"s3:PutBucketVersioning",
				"s3:PutObjectAcl",
				"s3:GetObjectVersion"
			],
			"Resource": [
				"arn:aws:s3:::buildpacks-oracle-client-libs",
				"arn:aws:s3:::buildpacks-oracle-client-libs/*"
			]
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": "s3:ListAllMyBuckets",
			"Resource": "*"
		}
	]
}
---
 pipelines/recipe-specs/recipe-specs.yml             | 5 +++--
 tasks/run-binary-builder-integration-specs/task.yml | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pipelines/recipe-specs/recipe-specs.yml b/pipelines/recipe-specs/recipe-specs.yml
index e699c4a8d..328b49982 100644
--- a/pipelines/recipe-specs/recipe-specs.yml
+++ b/pipelines/recipe-specs/recipe-specs.yml
@@ -84,8 +84,9 @@ jobs:
               SPEC_TO_RUN: #@ spec_name
               RUBYGEM_MIRROR: https://rubygems.org
               RUN_ORACLE_PHP_TESTS: true
-              AWS_ACCESS_KEY_ID: ((oracle-client-library-s3-download-access-key))
-              AWS_SECRET_ACCESS_KEY: ((oracle-client-library-s3-download-secret-key))
+              AWS_ACCESS_KEY_ID: ((svc-buildpacks-aws-ocldr-access-key))
+              AWS_SECRET_ACCESS_KEY: ((svc-buildpacks-aws-ocldr-secret-key))
+              AWS_ASSUME_ROLE_ARN: ((svc-buildpacks-aws-ocldr-assume-role-arn))
               AWS_DEFAULT_REGION: us-east-1
               ORACLE_LIBS_AWS_BUCKET: buildpacks-oracle-client-libs
               ORACLE_LIBS_FILENAME: oracle_client_libs.tgz
diff --git a/tasks/run-binary-builder-integration-specs/task.yml b/tasks/run-binary-builder-integration-specs/task.yml
index a3300efa5..bccedfc30 100644
--- a/tasks/run-binary-builder-integration-specs/task.yml
+++ b/tasks/run-binary-builder-integration-specs/task.yml
@@ -14,6 +14,7 @@ params:
   RUBYGEM_MIRROR:
   AWS_DEFAULT_REGION:
   AWS_ACCESS_KEY_ID:
+  AWS_ASSUME_ROLE_ARN:
   AWS_SECRET_ACCESS_KEY:
   ORACLE_LIBS_AWS_BUCKET:
   ORACLE_LIBS_FILENAME: