Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Access a private pipe in ECR with OIDC?

Georg Duemlein September 15, 2022

I would like to host pipes in a private ECR repository.


I understand that I can access the images like so:

pipe: docker://my-ecr-repo/image:versionaws:
  access-key: $AWS_ACCESS_KEY_ID
  secret-key: $AWS_SECRET_ACCESS_KEY

I am wondering if there is an undocumented way to use OIDC instead.

1 answer

1 accepted

1 vote
Answer accepted
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 16, 2022

@Georg Duemlein  hi.

Pipes supports only public docker images.

For OIDC support check this pipe for implementation: aws-ecr-push-image

Regards, Igor

Georg Duemlein September 16, 2022

Is it correct that the `aws-ecr-push-image` example refers to using OIDC inside the pipe?


I figured I can use OIDC to pull a private ECR as a pipe like so:

- step:
name: 'PipeThing'
oidc: true
- export AWS_ROLE_ARN=arn:aws:iam::123345:role/bitbucket-pipeline-role
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- apt-get update && apt-get install -y awscli
- aws --version
- aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin
- pipe: docker:/my/image:lastest

 Would it be possible to get a feature request for pipes to support OIDC for private pipes?

Though I am not yet convinced I understand fully the difference between a pipe and an image for a step.

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events