Use AWS ECR images in Pipelines with OpenID Connect

In order to use AWS ECR docker images with OpenID Connect, you will need to configure Pipelines as a Web Identity Provider, create an IAM role, and associate the IAM role with build image.

Configure Bitbucket Pipelines as a Web Identity Provider on AWS

Web Identity Providers allow the system to receive an authentication token, and then use or exchange that token for temporary security credentials in AWS. These temporary security credentials map to an IAM role with permissions to use the resources in your AWS account. Learn more about Web Identity Providers from AWS

  1. Access AWS Identity and Access Management (IAM).

  2. Select Identity providers under the Access management heading on the left sidebar.

  3. Select the Add provider button.

  4. In the Configure provider section, select OpenID Connect.

  5. Add the Provider URL, that is displayed as an identity provider on OpenID Connect in Bitbucket, to the corresponding text field. The Provider URL is the secure OpenID Connect URL used for authentication requests.

  6. Select the Get thumbprint button to verify that the provider URL is unique and accurate.

  7. Add the Audience, that is displayed as an identity provider on OpenID Connect in Bitbucket, to the corresponding text field. The audience is the client ID issued by the Identity provider for your app.

  8. Select the Add provider button.

To verify the thumbprint, you can follow the steps for obtaining the root CA thumbprint for an OpenID Connect Identity Provider.

Create an Identity and Access Management (IAM) role

Follow the steps below to create a new IAM role that can be assumed by anyone using Bitbucket Pipelines with this OIDC provider.

 

The trusted entity for this role must be Web identity, which allows you to choose the provider created in the previous steps.

  1. Access AWS Identity and Access Management (IAM).

  2. Select Roles under the Access management heading on the left sidebar.

  3. Select Create role.

  4. Select Web identity as the type of trusted entity.

  5. Select the Identity provider dropdown and choose the identity provider created from your configuration above.

  6. Select the Audience dropdown and choose the audience created from your configuration above. This will allow builds in all repositories in the workspace to assume the role.

  7. Select Next: Permissions.

  8. Create a policy that allows to retrieve the authentication token and access the ECR registry. For more details on creating a policy, check out the following AWS help doc: Amazon Elastic Container Registry Identity-Based Policy Examples.

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 { "Version":"2012-10-17", "Statement":[ { "Sid":"GetAuthorizationToken", "Effect":"Allow", "Action":[ "ecr:GetAuthorizationToken" ], "Resource":"*" }, { "Sid":"ReadRepositoryContents", "Effect":"Allow", "Action":[ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage" ], "Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo" } ] }
  9. Select Next: Tags.

  10. Add any labels (tags), if necessary.

  11. Select Next: Review.

  12. On the Create role page, enter a Role name (required, eg. pipelines-ecr-access) and a Role description (if applicable).

  13. Select Create role.

Configure build to use your selected docker image

In this step, you are going to configure your build to the assume the role created in the previous step. You need to enable your BitbucketCI step to create a unique OIDC token that can be used to assume a role and request a temporary credential. This token is exposed as an environment variable BITBUCKET_STEP_OIDC_TOKEN.

Example of bitbucket-pipelines.yml file

1 2 3 4 5 6 7 8 9 10 pipelines: default: - step: image: name: 123456789012.dkr.ecr.us-east-1.amazonaws.com/repository/my-repo:latest aws: oidc-role: arn:aws:iam::123456789012:role/pipelines-ecr-access oidc: true script: - echo "hello world"

The above code is an example of bitbucket-pipelines.yml file that uses a private ECR image in pipelines without providing explicit AWS_ACCESS_KEY_ID and AWS_SECRET_KEY secrets.

Run your build

Now that you have configured Pipelines as a Web Identity Provider in AWS, created an IAM role within the Web Identity Provider, and configured your build to assume the created role, it is time to run your build.

For more options on limiting access to specific repositories, deployments, and more, see the Using claims in ID tokens to limit access to the IAM role in AWS section of the following help doc: Deploy on AWS using Bitbucket Pipelines OpenID Connect.

Still need help?

The Atlassian Community is here for you.