Use a new S3 bucket instead of mciuploads (#900)

This is being done for two reasons.

First, we want to move projects away from all using the shared `mciuploads` bucket.

Second, the credentials to access `mciuploads` are only available for the DB Tools Evergreen project for the `master` branch. When we make a PR off a different branch, we cannot see those credentials. That means those branches cannot interact with S3 in CI, which leads to lots of CI failures. Switching to a new bucket and using `role_arn` to access that bucket means this works on any branch.

This also changes all our S3 uploads to be private, but I don't think there was any reason for these to be publicly readable. People outside MongoDB can't see Evergreen logs, so they'd have no way to find the relevant URLs anyway.

Author: autarch

common.yml

@@ -265,8 +265,7 @@ functions:
     # upload individual release artifacts to task page
     - command: s3.put
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        role_arn: arn:aws:iam::391144487543:role/evergreen-project-mongo-tools
         local_files_include_filter:
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.deb
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.msi
@@ -275,8 +274,9 @@ functions:
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.zip
         remote_file: mongo-tools/pkgs/${build_id}/
         content_type: application/octet-stream
-        bucket: mciuploads
-        permissions: public-read
+        bucket: evergreen-project-mongo-tools-i6qg5nn6nbm
+        permissions: private
+        visibility: signed
         display_name: "Release Artifact - "
 
     # pack all release artifacts into a tarball and upload them to one
@@ -291,25 +291,25 @@ functions:
           - mongodb-database-tools*.rpm
           - mongodb-database-tools*.tgz
           - mongodb-database-tools*.zip
+
     - command: s3.put
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        role_arn: arn:aws:iam::391144487543:role/evergreen-project-mongo-tools
         local_file: src/github.com/mongodb/mongo-tools/upload.tgz
         remote_file: mongo-tools/task/dist/${build_id}/all-release-artifacts.tgz
         content_type: application/x-gzip
-        bucket: mciuploads
-        permissions: public-read
+        bucket: evergreen-project-mongo-tools-i6qg5nn6nbm
+        permissions: private
+        visibility: signed
         display_name: All Release Artifacts (.tgz)
 
   "fetch dist release artifacts":
     - command: s3.get
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        role_arn: arn:aws:iam::391144487543:role/evergreen-project-mongo-tools
         remote_file: mongo-tools/task/dist/${build_id}/all-release-artifacts.tgz
         extract_to: src/github.com/mongodb/mongo-tools/
-        bucket: mciuploads
+        bucket: evergreen-project-mongo-tools-i6qg5nn6nbm
 
   "sign artifacts":
     command: shell.exec
@@ -335,10 +335,10 @@ functions:
         working_dir: src/github.com/mongodb/mongo-tools
         script: |
           rm -rf ./mongorestore/testdata/longcollectionname/
+
     - command: s3.put
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        role_arn: arn:aws:iam::391144487543:role/evergreen-project-mongo-tools
         local_files_include_filter:
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.sig
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.deb
@@ -347,8 +347,9 @@ functions:
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.tgz
           - src/github.com/mongodb/mongo-tools/mongodb-database-tools*.zip
         remote_file: mongo-tools/task/sign/${build_id}/
-        bucket: mciuploads
-        permissions: public-read
+        bucket: evergreen-project-mongo-tools-i6qg5nn6nbm
+        permissions: private
+        visibility: signed
         content_type: application/octet-stream
 
   "upload release packages to s3":
@@ -366,16 +367,17 @@ functions:
         script: |
           ${_set_shell_env}
           go run release/release.go upload-json
+
     - command: s3.put
       params:
-        aws_key: ${aws_key}
-        aws_secret: ${aws_secret}
+        role_arn: arn:aws:iam::391144487543:role/evergreen-project-mongo-tools
         local_file: src/github.com/mongodb/mongo-tools/release.json
         remote_file: mongo-tools/release/${build_id}/
         optional: true
         content_type: application/json
-        bucket: mciuploads
-        permissions: public-read
+        bucket: evergreen-project-mongo-tools-i6qg5nn6nbm
+        permissions: private
+        visibility: signed
 
   "generate full JSON feed":
     - command: shell.exec