Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Docker base image fails to pull from ECR when using OpenID

kbohdan
kbohdan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 6, 2024

When I use custom image hosted in AWS ECR as Dockerfile base image in pipeline it fails to pull. The pipeline is configured to use OpenID. Moreover, the same image is successfully used as pipeline image step.

The pipeline example:

 

image:
  name: {aws-account-id}.dkr.ecr.us-east-1.amazonaws.com/vs-openjdk:21
  aws:
    oidc-role: $AWS_OIDC_ROLE_ARN

defaults: &oidc_step_config
  oidc: true
  image:
    name: {aws-account-id}.dkr.ecr.us-east-1.amazonaws.com/vs-openjdk:21
    aws:
      oidc-role: $AWS_OIDC_ROLE_ARN

pipelines:
  branches:
    main:
      - step:
          <<: *oidc_step_config
          name: Build Executable Jar
          script:
            - ./gradlew test bootJar
          artifacts:
            - build/libs/{java-application-name}.jar
      - step:
          <<: *oidc_step_config
          name: Build & Publish Docker Image
          script:
            - docker build -t $IMAGE_NAME:$BITBUCKET_BUILD_NUMBER .
            - pipe: atlassian/aws-ecr-push-image:2.4.2
              variables:
                AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN
                IMAGE_NAME: $IMAGE_NAME
                TAGS: $BITBUCKET_BUILD_NUMBER
          services:
            - docker
          caches:
            - docker

The shorten example of Dockerfile

```

FROM {aws-account-id}.dkr.ecr.us-east-1.amazonaws.com/vs-openjdk:21

WORKDIR /usr/server/

...

```

Why does it fail on FROM step of Dockerfile build? When I use public image it runs well.

Answer
Watch
Like Georg Duemlein likes this
360 views

1 answer

2 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 12, 2024

Hi @kbohdan and welcome to the community!

You will need to configure this step to assume the created role and then authenticate Docker to the Amazon ECR private registry.

An example is shared in the following documentation, section "Configure build to assume the created role":

I have adjusted the example from this page to your use case:

- step:
    oidc: true
    script:
      - export AWS_REGION=<REGION>
      - export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
      - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
      - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
      - aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
      - docker build <other arguments>

Does this work for you?

Kind regards,
Theodora

View More Comments
kbohdan
kbohdan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 3, 2024

That works well! Thanks, Theodora

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2024

That's good to hear and you're very welcome! Please feel free to reach out if you ever need anything else!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security