You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
As it stands aws-ecr-push-image only supports either Access Keys or OIDC. OIDC is overkill for our scenarios and Access Keys are limited and insecure, even if encrypted, plus you have to support multiple keys for multiple scenarios. Instead please add support for either of the following.
1.-The ability to specify an Account ID to log in against its docker registry in ECR, right now the code simply picks it up from the Access Keys and there's no way to change that. This was already requested here, and the developer dropped from the community since April 2020.
Solved: AWS ECR Push Image Specify Registry ID (atlassian.com)
About Alexander Zhukov - Atlassian Community
2.-The ability to specify standard AWS STS Assume Role for cross account access. If you already have OIDC support which is way too complex for a simple AWS IAM operation you can add STS Assume Role as well. As a matter of fact you can see how the underlying boto SDK is skipping over that sts:assumeRole API call in the current pipe's logs.
Why this request?
Because you can have a bitbucket runner in an account not accessible to your users but you still want to push images over to an account that they do have access to so they can have visibility for things like Scan Results, etc. Option 1 can be matched by a Resource Policy in the ECR repository while Option 2 allows to log into the actual AWS account where the repo lives.
Also, it would be nice to have a Jira ticket to track this issue for us customers to see its progress and to know it was actually picked up.