Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Private pipeline image - AWS ECR and cross-account role assumption

It seems possible to pull private images from ECR, but only with credentials stored in the same AWS account as the ECR registry.

My case and infosec setup is such that accounts and authentication aren't in the same AWS account as the ECR, and I'm using role assumption, a standard AWS feature that's been there for years.

Is there any way to convince Bitbucket Pipelines to authenticate with the provided keys, then assume a role, and only then fetch the ECR image?

Current Bitbucket Pipelines way of using private images:

image:
  name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
  aws: 
    access-key: $AWS_ACCESS_KEY
    secret-key: $AWS_SECRET_KEY

What I would like to be able to do:

image:
  name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
  aws: 
access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
    assume-role: arn:aws:iam::<aws_ECRREPO_account>:role/ECRPowerUser

Where the AWS access/secret keys are those of a user in a _different_ AWS account (an InfoSec AWS account, which has permission to assume cross-account role into the ECR-hosting AWS account).

Hope this makes sense.

Thanks.

2 answers

@Greg @David Corto  I guess, you can try if the next feature will be implemented https://jira.atlassian.com/browse/BCLOUD-13014 (you would add role arn variable for assuming, for example).

I linked this, because you can vote for this feature .

 

Or if this does not suit, create a new suggestion request and we will gather votes for it to see if that is in wide interest.

Regards, Galyna

You also may want to play with service definitions. Look how to define own service with variables here https://support.atlassian.com/bitbucket-cloud/docs/databases-and-service-containers/#Define-a-service

We are facing the same situation.

 

Would be great have the 'assume-role' option  

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence Cloud

🎨 Add some visual life to your templates

Hi Atlassian Community, My name is Avni Barman, and I am a Product Manager on the Confluence Cloud team. Based on feedback from you, we are giving admins more power to create templates that a...

89 views 1 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you