AWS ECR authentication using Nomad builder IAM instance profile | Server

AWS ECR authentication using Nomad builder IAM instance profile

under review

Igor Serko

When using CCI Server, we have more freedom regarding Nomad builders, so we give the builder instances permissions to download any and all of our ECR images.

What we would like is for the Docker executor the freedom to use those ECR images without any credentials passed either via project environment variables or contexts.

However currently the CircleCI configuration is preventing us from doing that as it always requires an

aws_access_key_id

and

aws_secret_access_key

Ex.

docker:
  - image: our_ecr_image:latest
    aws_auth:
      aws_access_key_id: AWS_ACCESS_KEY_ID
      aws_secret_access_key: AWS_SECRET_ACCESS_KEY

Can we get a setting which will use the Nomad builder instance profile instead?

docker:
  - image: our_ecr_image:latest
    aws_auth:
      use_instance_profile: true

The AWS SDK uses any and all possible credential sources, so in theory if no credentials are passed it should use the Instance Metadata to authorize unless you intentionally block that.

Thanks

Igor Serko, Lyst Ltd

January 8, 2021

Nathan Fish

marked this post as

under review