It seems possible to pull private images from ECR, but only with credentials stored in the same AWS account as the ECR registry.
My case and infosec setup is such that accounts and authentication aren't in the same AWS account as the ECR, and I'm using role assumption, a standard AWS feature that's been there for years.
Is there any way to convince Bitbucket Pipelines to authenticate with the provided keys, then assume a role, and only then fetch the ECR image?
Current Bitbucket Pipelines way of using private images:
image: name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag> aws: access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
What I would like to be able to do:
image: name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag> aws:
access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
Where the AWS access/secret keys are those of a user in a _different_ AWS account (an InfoSec AWS account, which has permission to assume cross-account role into the ECR-hosting AWS account).
Hope this makes sense.
I linked this, because you can vote for this feature .
Or if this does not suit, create a new suggestion request and we will gather votes for it to see if that is in wide interest.
You also may want to play with service definitions. Look how to define own service with variables here https://support.atlassian.com/bitbucket-cloud/docs/databases-and-service-containers/#Define-a-service
Hi Atlassian Community, My name is Avni Barman, and I am a Product Manager on the Confluence Cloud team. Based on feedback from you, we are giving admins more power to create templates that a...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events