specs: support aws assume role

All pipeline jobs are moving away from direct AWS access to access via a service-user that can assume a role with privileges. See cloudfoundry/buildpacks-ci#318 The pipeline for the specs test is currently red. This change doesn't attempt to fix that.
cloudfoundry · Oct 4, 2023 · 2d87ac6 · 2d87ac6
1 parent b54badc
commit 2d87ac6
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -83,6 +83,8 @@ The project backlog is on [Pivotal Tracker](https://www.pivotaltracker.com/proje
 
 # Running the tests
 
-The integration test suite includes specs that test the functionality for building [PHP with Oracle client libraries](./PHP-Oracle.md). These tests are tagged `:run_oracle_php_tests` and require access to an S3 bucket containing the Oracle client libraries. This is configured using the environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`
+The integration test suite includes specs that test the functionality for building [PHP with Oracle client libraries](./PHP-Oracle.md). These tests are tagged `:run_oracle_php_tests` and require access to an S3 bucket containing the Oracle client libraries. This is configured using the environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`.
+
+Optionally provide `AWS_ASSUME_ROLE_ARN` to assume a role.
 
 If you do not need to test this functionality, exclude the tag `:run_oracle_php_tests` when you run `rspec`.
diff --git a/cflinuxfs4/README.md b/cflinuxfs4/README.md
@@ -85,4 +85,6 @@ The project backlog is on [Pivotal Tracker](https://www.pivotaltracker.com/proje
 
 The integration test suite includes specs that test the functionality for building [PHP with Oracle client libraries](./PHP-Oracle.md). These tests are tagged `:run_oracle_php_tests` and require access to an S3 bucket containing the Oracle client libraries. This is configured using the environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`
 
+Optionally provide `AWS_ASSUME_ROLE_ARN` to assume a role.
+
 If you do not need to test this functionality, exclude the tag `:run_oracle_php_tests` when you run `rspec`.
diff --git a/cflinuxfs4/spec/spec_helper.rb b/cflinuxfs4/spec/spec_helper.rb
@@ -81,7 +81,19 @@ def setup_oracle_libs(dir_to_contain_oracle)
       s3_bucket = ENV['ORACLE_LIBS_AWS_BUCKET']
       libs_filename = ENV['ORACLE_LIBS_FILENAME']
 
-      system "aws s3 cp s3://#{s3_bucket}/#{libs_filename} ."
+      ## If AWS_ASSUME_ROLE_ARN is provides, switch to aws assume-role mode
+      if ENV['AWS_ASSUME_ROLE_ARN'] && !ENV['AWS_ASSUME_ROLE_ARN'].empty?
+        system <<-eof
+          uuid=$(cat /proc/sys/kernel/random/uuid)
+          RESULT="$(aws sts assume-role --role-arn "${AWS_ASSUME_ROLE_ARN}" --role-session-name "binary-builder-spec-${uuid}")"
+          export AWS_ACCESS_KEY_ID="$(echo "${RESULT}" |jq -r .Credentials.AccessKeyId)"
+          export AWS_SECRET_ACCESS_KEY="$(echo "${RESULT}" |jq -r .Credentials.SecretAccessKey)"
+          export AWS_SESSION_TOKEN="$(echo "${RESULT}" |jq -r .Credentials.SessionToken)"
+          aws s3 cp s3://#{s3_bucket}/#{libs_filename} .
+        eof
+      else
+        system "aws s3 cp s3://#{s3_bucket}/#{libs_filename} ."
+      end
       system "tar -xvf #{libs_filename}"
     end
   end

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -81,7 +81,19 @@ def setup_oracle_libs(dir_to_contain_oracle)
       s3_bucket = ENV['ORACLE_LIBS_AWS_BUCKET']
       libs_filename = ENV['ORACLE_LIBS_FILENAME']
 
-      system "aws s3 cp s3://#{s3_bucket}/#{libs_filename} ."
+      ## If AWS_ASSUME_ROLE_ARN is provides, switch to aws assume-role mode
+      if ENV['AWS_ASSUME_ROLE_ARN'] && !ENV['AWS_ASSUME_ROLE_ARN'].empty?
+        system <<-eof
+          uuid=$(cat /proc/sys/kernel/random/uuid)
+          RESULT="$(aws sts assume-role --role-arn "${AWS_ASSUME_ROLE_ARN}" --role-session-name "binary-builder-spec-${uuid}")"
+          export AWS_ACCESS_KEY_ID="$(echo "${RESULT}" |jq -r .Credentials.AccessKeyId)"
+          export AWS_SECRET_ACCESS_KEY="$(echo "${RESULT}" |jq -r .Credentials.SecretAccessKey)"
+          export AWS_SESSION_TOKEN="$(echo "${RESULT}" |jq -r .Credentials.SessionToken)"
+          aws s3 cp s3://#{s3_bucket}/#{libs_filename} .
+        eof
+      else
+        system "aws s3 cp s3://#{s3_bucket}/#{libs_filename} ."
+      end
       system "tar -xvf #{libs_filename}"
     end
   end
Original file line number	Diff line number	Diff line change
Expand Up		@@ -85,4 +85,6 @@ The project backlog is on [Pivotal Tracker](https://www.pivotaltracker.com/proje

		The integration test suite includes specs that test the functionality for building [PHP with Oracle client libraries](./PHP-Oracle.md). These tests are tagged `:run_oracle_php_tests` and require access to an S3 bucket containing the Oracle client libraries. This is configured using the environment variables `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`

		Optionally provide `AWS_ASSUME_ROLE_ARN` to assume a role.

		If you do not need to test this functionality, exclude the tag `:run_oracle_php_tests` when you run `rspec`.