Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Loading a AWS ECR image as service not working when using oidc

GONTHIER, FLORENTIN October 20, 2023

Hello everyone,

I am trying to load an AWS ECR docker image I created previously as a service using the oidc following the documentation on https://support.atlassian.com/bitbucket-cloud/docs/docker-image-options/#OIDC-roles 

I did the folowing code : 

services:
my-service:
image: IMAGE_URI
aws:
oidc-role: $AWS_OIDC_ROLE_ARN


And load the service like this :

- step: &run-cypress
name: run cypress
oidc: true
size: 2x
image: cypress/browsers:node-18.14.1-chrome-110.0.5481.96-1-ff-109.0-edge-110.0.1587.41-1
script:
#My script
services:
- my-service
- docker

 


And get the error : 
rpc error: code = Unknown desc = failed to pull and unpack image "IMAGE_URI": failed to resolve reference "IMAGE_URI": pulling from host IMAGE_REPO failed with status code [manifests IMAGE_TAG]: 403 Forbidden

 



But when  loading the image using the CLI, I have no problem to load the image



- step: &test-access
name: test aws ecr access
oidc: true
image: amazon/aws-cli
services:
- docker
script:
- yum update -y
- yum install jq -y
- TEMP_ROLE=$(aws sts assume-role-with-web-identity --role-arn $AWS_OIDC_ROLE_ARN --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000)
- export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
- aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
- aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
- aws configure set aws_session_token $AWS_SESSION_TOKEN
- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin IMAGE_REPO
- docker pull IMAGE_URI

 
Am I missing something when following the documentation ?

1 answer

0 votes
Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 22, 2023

Hi @GONTHIER, FLORENTIN,

Welcome to the community.

Could you confirm if the base Docker image is publicly accessible?

image: cypress/browsers:node-18.14.1-chrome-110.0.5481.96-1-ff-109.0-edge-110.0.1587.41-1

Regards,
Mark C

GONTHIER, FLORENTIN October 23, 2023

Yes it is publicly accessible

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 25, 2023

Thanks for that @GONTHIER, FLORENTIN

Btw, for the service image you used which is "IMAGE_URI", would it be possible for you to confirm if that is an environment variable?
If yes, unfortunately, we do not support environment variables for the image tags, hence, you will need to specify the exact image name as a service.

Let me know how it goes.

Regards,
Mark C

GONTHIER, FLORENTIN October 26, 2023

This a plain text, I just replace it with IMAGE_URI to prevent from diplaying the AWS ECR uri.

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 26, 2023

Hi @GONTHIER, FLORENTIN ,

In that case, given the AWS ECR URI is publicly accessible, could you try to define your service container using the below format:

definitions:
  services:
    my-service:
      image: IMAGE_URI

Let me know how it goes.

Regards,
Mark C

GONTHIER, FLORENTIN October 26, 2023

It was in this format (it was not keep with copy paste on this main comment), however the AWS ECR URI is not publicly accessible it is in a private repository

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 29, 2023

Hi @GONTHIER, FLORENTIN,

Thanks for that information.
Instead of using OIDC as authentication for your private image as a service? Could you try to use Username and password instead?

services:
   my-service:
     image: 
       name: IMAGE_URI
       username: $USERNAME
       password: $PASSWORD

Use a private image

Regards,
Mark C

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events