Feature request - aws-ecr-push-image - add simpler Support for cross account access to ECR repos

Einar Coutin July 6, 2022

As it stands aws-ecr-push-image only supports either Access Keys or OIDC. OIDC is overkill for our scenarios and Access Keys are limited and insecure, even if encrypted, plus you have to support multiple keys for multiple scenarios. Instead please add support for either of the following.
1.-The ability to specify an Account ID to log in against its docker registry in ECR, right now the code simply picks it up from the Access Keys and there's no way to change that. This was already requested here, and the developer dropped from the community since April 2020.
Solved: AWS ECR Push Image Specify Registry ID (atlassian.com)
About Alexander Zhukov - Atlassian Community

2.-The ability to specify standard AWS STS Assume Role for cross account access. If you already have OIDC support which is way too complex for a simple AWS IAM operation you can add STS Assume Role as well. As a matter of fact you can see how the underlying boto SDK is skipping over that sts:assumeRole API call in the current pipe's logs.

Why this request?

Because you can have a bitbucket runner in an account not accessible to your users but you still want to push images over to an account that they do have access to so they can have visibility for things like Scan Results, etc. Option 1 can be matched by a Resource Policy in the ECR repository while Option 2 allows to log into the actual AWS account where the repo lives.

 Also, it would be nice to have a Jira ticket to track this issue for us customers to see its progress and to know it was actually picked up.

0 comments

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events