It seems possible to pull private images from ECR, but only with credentials stored in the same AWS account as the ECR registry.
My case and infosec setup is such that accounts and authentication aren't in the same AWS account as the ECR, and I'm using role assumption, a standard AWS feature that's been there for years.
Is there any way to convince Bitbucket Pipelines to authenticate with the provided keys, then assume a role, and only then fetch the ECR image?
Current Bitbucket Pipelines way of using private images:
image: name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag> aws: access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
What I would like to be able to do:
image: name: <aws_ECRREPO_account>.dkr.ecr.<region>.amazonaws.com/<image>:<tag> aws:
access-key: $AWS_ACCESS_KEY secret-key: $AWS_SECRET_KEY
assume-role: arn:aws:iam::<aws_ECRREPO_account>:role/ECRPowerUser
Where the AWS access/secret keys are those of a user in a _different_ AWS account (an InfoSec AWS account, which has permission to assume cross-account role into the ECR-hosting AWS account).
Hope this makes sense.
Thanks.
@Greg @David Corto I guess, you can try if the next feature will be implemented https://jira.atlassian.com/browse/BCLOUD-13014 (you would add role arn variable for assuming, for example).
I linked this, because you can vote for this feature .
Or if this does not suit, create a new suggestion request and we will gather votes for it to see if that is in wide interest.
Regards, Galyna
You also may want to play with service definitions. Look how to define own service with variables here https://support.atlassian.com/bitbucket-cloud/docs/databases-and-service-containers/#Define-a-service
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We are facing the same situation.
Would be great have the 'assume-role' option
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.