The Amazon implementation of a Docker Registry automatically generates the docker login command with a call to the aws API. The credentials that it generates expire making them impractical to mine from the command for a normal bitbucket-pipelines.yml file. As far as I can tell, there is no way to set Amazon to do it differently, so if we could specify AWS credentials as follows:
image: name: <aws-ecr-image> aws_login: access_key_id: <access_key_id> secret_access_key: <secret_access_key> region: <region>
Then Pipelines could generate a file at ~/.aws/credentials that looks like this:
[default] aws_access_key_id = <access_key_id> aws_secret_access_key = <secret_access_key>
Then make the following AWS call to get the credentials and login:
eval $(aws ecr get-login --region <region>)
It could then proceed to download the Docker image and continue normally.
Alternatively, the values could be settings on the server side to avoid sharing all that information in a file in source control.