I would like to host pipes in a private ECR repository.
I understand that I can access the images like so:
pipe: docker://my-ecr-repo/image:versionaws: access-key: $AWS_ACCESS_KEY_ID secret-key: $AWS_SECRET_ACCESS_KEY
I am wondering if there is an undocumented way to use OIDC instead.
Is it correct that the `aws-ecr-push-image` example refers to using OIDC inside the pipe?
I figured I can use OIDC to pull a private ECR as a pipe like so:
- export AWS_ROLE_ARN=arn:aws:iam::123345:role/bitbucket-pipeline-role
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- apt-get update && apt-get install -y awscli
- aws --version
- aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 1234.dkr.ecr.us-somehwere-5.amazonaws.com
- pipe: docker:/my/image:lastest
Would it be possible to get a feature request for pipes to support OIDC for private pipes?
Though I am not yet convinced I understand fully the difference between a pipe and an image for a step.