OIDC for AWS ECR private image pulls | Feature Requests

OIDC for AWS ECR private image pulls

complete

joe

When a project is configured to use OIDC, it should be possible to use these credentials to pull a private images from ECR [1] when starting up the executor.
Projects with OIDC enabled [2] currently still require static AWS keys for ECR image pulls.
[1] https://circleci.com/docs/2.0/private-images/#aws-ecr
[2] https://circleci.com/docs/2.0/openid-connect-tokens/

March 25, 2022

Oran Wilder

marked this post as

complete

OIDC for AWS ECR is ready for use! Follow the instructions here to implement: https://circleci.com/docs/pull-an-image-from-aws-ecr-with-oidc/

Oran Wilder

marked this post as

in progress

OIDC for ECR is coming soon. A preview of this feature is being prepared for the end of May.

Owen Haynes

Oran Wilder: would this also include other providers such as GCP antifactory?

Oran Wilder

Owen Haynes: This work is specific to AWS. If you want o connect to GCP, try the instructions here: https://circleci.com/docs/openid-connect-tokens/#setting-up-gcp

Owen Haynes

Oran Wilder: yeah we use that for terraform but unable to pull images using oidc. I would of thought you would of done this in tandem https://ideas.circleci.com/cloud-feature-requests/p/openid-connect-docker-login

Robert Hopson

Very interested in this!

Pablo Serrano

Any ETA about this?

Nathan Fish

marked this post as

planned

Owen Haynes

same but for GCP https://ideas.circleci.com/cloud-feature-requests/p/openid-connect-docker-login