Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,455,522
Community Members
 
Community Events
175
Community Groups

Feature request - aws-ecr-push-image - add simpler Support for cross account access to ECR repos

Edited

As it stands aws-ecr-push-image only supports either Access Keys or OIDC. OIDC is overkill for our scenarios and Access Keys are limited and insecure, even if encrypted, plus you have to support multiple keys for multiple scenarios. Instead please add support for either of the following.
1.-The ability to specify an Account ID to log in against its docker registry in ECR, right now the code simply picks it up from the Access Keys and there's no way to change that. This was already requested here, and the developer dropped from the community since April 2020.
Solved: AWS ECR Push Image Specify Registry ID (atlassian.com)
About Alexander Zhukov - Atlassian Community

2.-The ability to specify standard AWS STS Assume Role for cross account access. If you already have OIDC support which is way too complex for a simple AWS IAM operation you can add STS Assume Role as well. As a matter of fact you can see how the underlying boto SDK is skipping over that sts:assumeRole API call in the current pipe's logs.

Why this request?

Because you can have a bitbucket runner in an account not accessible to your users but you still want to push images over to an account that they do have access to so they can have visibility for things like Scan Results, etc. Option 1 can be matched by a Resource Policy in the ECR repository while Option 2 allows to log into the actual AWS account where the repo lives.

 Also, it would be nice to have a Jira ticket to track this issue for us customers to see its progress and to know it was actually picked up.

0 comments

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events