I tried following the instructions at https://support.atlassian.com/bitbucket-cloud/docs/use-aws-ecr-images-in-pipelines-with-openid-connect/ but so far have not been able to get a pipeline to pull an image from AWS ECR. I am using a bitbucket-runner that is self-hosted in AWS EKS.
I always see the following error from my bitbucket-runner Pod logs (and nothing about trying to authenticate with OIDC):
[2026-04-17 21:28:11,825] Pulling image <account>.dkr.ecr.us-east-2.amazonaws.com/<image>.
[2026-04-17 21:28:11,825] Looking for auth in config for image Image{name=<account>.dkr.ecr.us-east-2.amazonaws.com/<image>, runAsUser=None, auth=None} and found auth null
[2026-04-17 21:28:11,844] An error occurred whilst pulling image.
com.atlassian.pipelines.runner.core.exception.ImagePullException: Unable to pull image: failed to resolve reference \"<account>.dkr.ecr.us-east-2.amazonaws.
com/<image>\": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
My pipeline looks like:
pipelines:
pull-requests:
'**':
- step:
name: "On PR"
image: <account>.dkr.ecr.us-east-2.amazonaws.com/<image>
aws:
oidc-role: arn:aws:iam::<account>:role/<role-name-with-trusted-entity-to-bitbucket-oidc-provider>
oidc: true
runs-on:
- self.hosted
- linux
script:
- echo "hello world"
I'd appreciate any help with this issue. Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.