How do I pass AWS session token to aws_auth: for pulling docker images from AWS ECR?

blukanov-newsuk · February 24, 2023, 2:10pm

Hello, we want to pull images from AWS ECR using temporary AWS keys.

As per docs, with permanent keys we can do:

version: 2
jobs:
  build:
    docker:
      - image: account-id.dkr.ecr.us-east-1.amazonaws.com/org/repo:0.1
        aws_auth:
          aws_access_key_id: AKIAQWERVA  # can specify string literal values
          aws_secret_access_key: $ECR_AWS_SECRET_ACCESS_KEY  # or project UI envar reference

But with temporary AWS keys we must also pass the AWS_SESSION_TOKEN,
I tried but aws_auth will only accept 2 parameters - key and secret.

Is there any way to pass the AWS session_token? We really need this

extraneous key [aws_session_token] is not permitted
|   Permitted keys:
|     - aws_access_key_id
|     - aws_secret_access_key
|   Passed keys:
|     - aws_access_key_id
|     - aws_secret_access_key
|     - aws_session_token

rit1010 · February 24, 2023, 3:51pm

Looking at the published ORB there does not seem to be any support for temporary AWS keys and the question does not seem to have been asked in the past on the github page.

It may be worth posting the question on the github page as that should cause a notification to whichever developer is maintaining the ORB and register the fact that the ORB is lacking a feature that is likely to become more important over time.

blukanov-newsuk · February 27, 2023, 6:39am

Can you please provide link to the orb source you checked?

rit1010 · February 27, 2023, 9:11am

blukanov-newsuk · February 27, 2023, 9:39am

Thank you for the quick response. I think we do not use this orb. Actually I think no ‘external’ orb is involved in this (probably core CircleCI functionality) to pull Docker image from ECR

rit1010 · February 27, 2023, 9:58am

Oh, I missed that.

It will be worth you raising a support ticket as the docs indicate that the docker command has the same limitation. At least that way you should receive a formal answer.

blukanov-newsuk · February 27, 2023, 12:52pm

Also can you paste that document pointing to the same limitation? Really appreciate it

rit1010 · February 27, 2023, 2:50pm

The documentation never really shows that something is not possible as it goes and states that the parameter type is a Map without listing the accepted values, but you have

This shows aws_auth in examples that only show aws_access_key_id and aws_secret_access_key being used

Topic		Replies	Views
Please help - Cannot login to ECR repository Deployments nodejs , circle-yml	1	1663	July 19, 2022
Pushing to AWS ECR repo using ecr orb 8.1.2 Deployments ecr , docker , aws , circle-yml	0	1190	July 28, 2022
Aws ecr authentication issue: The security token included in the request is invalid Deployments ecr , aws	4	49765	August 6, 2018
Aws-ecr: migration guide for v8 to v9? Orbs ecr , aws	1	741	January 21, 2024
AWS-ECR orb not find my access_key_id Build Environment	0	621	February 27, 2021

How do I pass AWS session token to aws_auth: for pulling docker images from AWS ECR?

Related Topics