From e53b18e788161c8c0189fb1e61b64d4c649ded22 Mon Sep 17 00:00:00 2001
From: Chris McKeen <chris.mckeen@meltwater.com>
Date: Thu, 30 Sep 2021 16:08:40 -0400
Subject: [PATCH 1/4] Only use anon credentials for public s3 buckets

---
 main.go                      | 6 ++++++
 storage/backend/s3/config.go | 1 +
 storage/backend/s3/s3.go     | 6 +++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index 057bd070..0f06c68c 100644
--- a/main.go
+++ b/main.go
@@ -363,6 +363,11 @@ func main() {
 			Usage:   "server-side encryption algorithm, defaults to none. (AES256, aws:kms)",
 			EnvVars: []string{"PLUGIN_ENCRYPTION", "AWS_ENCRYPTION"},
 		},
+		&cli.StringFlag{
+			Name:    "s3-bucket-public",
+			Usage:   "Set to use anonymous credentials with public S3 bucket",
+			EnvVars: []string{"PLUGIN_S3_BUCKET_PUBLIC", "S3_BUCKET_PUBLIC"},
+		},
 		&cli.StringFlag{
 			Name:    "sts-endpoint",
 			Usage:   "Custom STS endpoint for IAM role assumption",
@@ -546,6 +551,7 @@ func run(c *cli.Context) error {
 			Endpoint:    c.String("endpoint"),
 			Key:         c.String("access-key"),
 			PathStyle:   c.Bool("path-style"),
+			Public:      c.Bool("s3-bucket-public"),
 			Region:      c.String("region"),
 			Secret:      c.String("secret-key"),
 			StsEndpoint: c.String("sts-endpoint"),
diff --git a/storage/backend/s3/config.go b/storage/backend/s3/config.go
index cfc575a8..ac84b7bf 100644
--- a/storage/backend/s3/config.go
+++ b/storage/backend/s3/config.go
@@ -15,6 +15,7 @@ type Config struct {
 	Encryption  string // if not "", enables server-side encryption. valid values are: AES256, aws:kms.
 	Endpoint    string
 	Key         string
+	Public      bool
 	StsEndpoint string
 	RoleArn     string // if "", do not assume IAM role i.e. use the IAM user.
 
diff --git a/storage/backend/s3/s3.go b/storage/backend/s3/s3.go
index d11caa32..7ed3c53e 100644
--- a/storage/backend/s3/s3.go
+++ b/storage/backend/s3/s3.go
@@ -36,7 +36,11 @@ func New(l log.Logger, c Config, debug bool) (*Backend, error) {
 		Endpoint:         &c.Endpoint,
 		DisableSSL:       aws.Bool(!strings.HasPrefix(c.Endpoint, "https://")),
 		S3ForcePathStyle: aws.Bool(c.PathStyle),
-		Credentials:      credentials.AnonymousCredentials,
+	}
+
+	// Use anonymous credentials if the S3 bucket is public
+	if c.Public {
+		conf.Credentials = credentials.AnonymousCredentials
 	}
 
 	if c.Key != "" && c.Secret != "" {

From f0d34afa750a76685bdae3e6c1c1f591ad4e0369 Mon Sep 17 00:00:00 2001
From: Chris McKeen <chris.mckeen@meltwater.com>
Date: Fri, 1 Oct 2021 11:11:16 -0400
Subject: [PATCH 2/4] optimize struct

---
 storage/backend/s3/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/storage/backend/s3/config.go b/storage/backend/s3/config.go
index ac84b7bf..7692b856 100644
--- a/storage/backend/s3/config.go
+++ b/storage/backend/s3/config.go
@@ -15,7 +15,6 @@ type Config struct {
 	Encryption  string // if not "", enables server-side encryption. valid values are: AES256, aws:kms.
 	Endpoint    string
 	Key         string
-	Public      bool
 	StsEndpoint string
 	RoleArn     string // if "", do not assume IAM role i.e. use the IAM user.
 
@@ -31,4 +30,5 @@ type Config struct {
 	Secret string
 
 	PathStyle bool // Use path style instead of domain style. Should be true for minio and false for AWS.
+	Public    bool
 }

From 532a3be5ae83bf7d8f31921c0fc9c1c6b10fed71 Mon Sep 17 00:00:00 2001
From: Chris McKeen <chris.mckeen@meltwater.com>
Date: Fri, 1 Oct 2021 12:56:07 -0400
Subject: [PATCH 3/4] update readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 3dccf5ca..fdd2b928 100644
--- a/README.md
+++ b/README.md
@@ -180,6 +180,7 @@ GLOBAL OPTIONS:
    --path-style                          AWS path style to use for bucket paths. (true for minio, false for aws) (default: false) [$PLUGIN_PATH_STYLE, $AWS_PLUGIN_PATH_STYLE]
    --acl value                           upload files with acl (private, public-read, ...) (default: "private") [$PLUGIN_ACL, $AWS_ACL]
    --encryption value                    server-side encryption algorithm, defaults to none. (AES256, aws:kms) [$PLUGIN_ENCRYPTION, $AWS_ENCRYPTION]
+   --s3-bucket-public value              Set to use anonymous credentials with public S3 bucket [$PLUGIN_S3_BUCKET_PUBLIC, $S3_BUCKET_PUBLIC]
    --sts-endpoint value                  Custom STS endpoint for IAM role assumption [$PLUGIN_STS_ENDPOINT, $AWS_STS_ENDPOINT]
    --role-arn value                      AWS IAM role ARN to assume [$PLUGIN_ASSUME_ROLE_ARN, $AWS_ASSUME_ROLE_ARN]
    --gcs.api-key value                   Google service account API key [$PLUGIN_API_KEY, $GCP_API_KEY]

From fcbec60385bcb81d82b3e840a981461e03325f6b Mon Sep 17 00:00:00 2001
From: Chris McKeen <chris.mckeen@meltwater.com>
Date: Fri, 1 Oct 2021 16:43:38 -0400
Subject: [PATCH 4/4] Update CHANGELOG.md

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3a1d22c1..78e75b3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Nothing.
 
+## [1.2.2] - 2021-10-01
+
+- [#188](https://github.com/meltwater/drone-cache/pull/188) v1.2.0 breaks EC2 IAM role bucket access
+
 ## [1.2.1] - 2021-09-30
 
 ### Added