MattSurabian
commented
4 months ago I was able to get this working by setting this parameter https://github.com/concourse/registry-image-resource/blob/0c15319baf38dc56593beb85d0727e5f8183d9b3/types.go#L64 as implemented here https://github.com/concourse/registry-image-resource/pull/253.
The documentation is sparse on this, but it can be used in the resource definition (the quotes around it are REQUIRED):
- icon: docker
name: my-repo
source:
aws_ecr_registry_id: "123456789012"
aws_region: us-east-1
repository: my-repo
type: registry-imageThis without any role arns set seems to work as expected. With the resource assuming the role of the underlying EC2 instance and operating on an ECR located in another account.
Hey folks I tried to switch is from the docker-image resource to oci-build-task and registry image, but we weren't able to get the ECR support working.
Our current setup is we have ECR running in another account (root) and currently we rely on ec2 node roles to allow concourse access to ECR.
Is the only way to get this working currently is to create a new access key that we would then need to rotate or is there a way to use node roles? I tried configuring the role arns using the latest release and was not able to resolve the authentication errors from ECR. Perhaps I am just doing it wrong?
Describe the solution you'd like
A way to use node roles like docker-image resource for ECR cross account access