When a project is configured to use OIDC, it should be possible to use these credentials to pull a private images from ECR [1] when starting up the executor.

Projects with OIDC enabled [2] currently still require static AWS keys for ECR image pulls.

[1] https://circleci.com/docs/2.0/private-images/#aws-ecr

[2] https://circleci.com/docs/2.0/openid-connect-tokens/