Docker AWS ECR auth with oidc role doesn't seem to be working

I tried configuring AWS ECR pulling through OIDC but it doesn’t seem to be working

I can see on AWS that the IAM role is not being accessed

version: 2.1

jobs:
  job_name:
    docker:
      - image: <your-image-arn>
        aws_auth:
          oidc_role_arn: <your-iam-role-arn>

property oidc_role_arn is missing from the yaml spec
https://json.schemastore.org/circleciconfig.json

even though the feature was released in May’23

I stumbled upon the same problem.

I ran into this problem too, and google search lead me to this post, which unfortunately did not identify any solutions.

After another search, I came across this article https://support.circleci.com/hc/en-us/articles/13832176226203-Troubleshooting-OIDC-in-CircleCI

The article states

There must be at least one context present in your job before CircleCI will generate the $CIRCLE_OIDC_TOKEN environment variable.

After adding a context to my job in the config file, I was able to use OIDC to pull an image from ECR.

Hi team, same here - doesn’t work.

but the problem is a bit another - is it possible for executor to pull private ECR image with oidc?

1 Like