Private pipeline image - AWS ECR and cross-account role assumption

Greg April 27, 2020

It seems possible to pull private images from ECR, but only with credentials stored in the same AWS account as the ECR registry.

My case and infosec setup is such that accounts and authentication aren't in the same AWS account as the ECR, and I'm using role assumption, a standard AWS feature that's been there for years.

Is there any way to convince Bitbucket Pipelines to authenticate with the provided keys, then assume a role, and only then fetch the ECR image?

Current Bitbucket Pipelines way of using private images:

image:
  name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
  aws: 
    access-key: $AWS_ACCESS_KEY
    secret-key: $AWS_SECRET_KEY

What I would like to be able to do:

image:
  name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
  aws: 
access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
    assume-role: arn:aws:iam::<aws_ECRREPO_account>:role/ECRPowerUser

Where the AWS access/secret keys are those of a user in a _different_ AWS account (an InfoSec AWS account, which has permission to assume cross-account role into the ECR-hosting AWS account).

Hope this makes sense.

Thanks.

2 answers

2 votes
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 16, 2021

@Greg @David Corto  I guess, you can try if the next feature will be implemented https://jira.atlassian.com/browse/BCLOUD-13014 (you would add role arn variable for assuming, for example).

I linked this, because you can vote for this feature .

 

Or if this does not suit, create a new suggestion request and we will gather votes for it to see if that is in wide interest.

Regards, Galyna

Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 16, 2021

You also may want to play with service definitions. Look how to define own service with variables here https://support.atlassian.com/bitbucket-cloud/docs/databases-and-service-containers/#Define-a-service

1 vote
David Corto January 21, 2021

We are facing the same situation.

 

Would be great have the 'assume-role' option  

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events