Details
-
Suggestion
-
Resolution: Fixed
Description
The Amazon implementation of a Docker Registry automatically generates the docker login command with a call to the aws API. The credentials that it generates expire making them impractical to mine from the command for a normal bitbucket-pipelines.yml file. As far as I can tell, there is no way to set Amazon to do it differently, so if we could specify AWS credentials as follows:
#!yaml
image:
name: <aws-ecr-image>
aws_login:
access_key_id: <access_key_id>
secret_access_key: <secret_access_key>
region: <region>
Then Pipelines could generate a file at ~/.aws/credentials that looks like this:
#!ini
[default]
aws_access_key_id = <access_key_id>
aws_secret_access_key = <secret_access_key>
Then make the following AWS call to get the credentials and login:
#!bash eval $(aws ecr get-login --region <region>)
It could then proceed to download the Docker image and continue normally.
Alternatively, the values could be settings on the server side to avoid sharing all that information in a file in source control.