I would like to host pipes in a private ECR repository.
I understand that I can access the images like so:
pipe: docker://my-ecr-repo/image:versionaws:
access-key: $AWS_ACCESS_KEY_ID
secret-key: $AWS_SECRET_ACCESS_KEY
I am wondering if there is an undocumented way to use OIDC instead.
@Georg Duemlein hi.
Pipes supports only public docker images.
For OIDC support check this pipe for implementation: aws-ecr-push-image
Regards, Igor
Is it correct that the `aws-ecr-push-image` example refers to using OIDC inside the pipe?
I figured I can use OIDC to pull a private ECR as a pipe like so:
- step:
name: 'PipeThing'
oidc: true
script:
- export AWS_ROLE_ARN=arn:aws:iam::123345:role/bitbucket-pipeline-role
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- apt-get update && apt-get install -y awscli
- aws --version
- aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 1234.dkr.ecr.us-somehwere-5.amazonaws.com
- pipe: docker:/my/image:lastest
Would it be possible to get a feature request for pipes to support OIDC for private pipes?
Though I am not yet convinced I understand fully the difference between a pipe and an image for a step.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.