How do I pass AWS session token to aws_auth: for pulling docker images from AWS ECR?

Hello, we want to pull images from AWS ECR using temporary AWS keys.

As per docs, with permanent keys we can do:

version: 2
      - image:
          aws_access_key_id: AKIAQWERVA  # can specify string literal values
          aws_secret_access_key: $ECR_AWS_SECRET_ACCESS_KEY  # or project UI envar reference

But with temporary AWS keys we must also pass the AWS_SESSION_TOKEN,
I tried but aws_auth will only accept 2 parameters - key and secret.

Is there any way to pass the AWS session_token? We really need this

extraneous key [aws_session_token] is not permitted
|   Permitted keys:
|     - aws_access_key_id
|     - aws_secret_access_key
|   Passed keys:
|     - aws_access_key_id
|     - aws_secret_access_key
|     - aws_session_token

Looking at the published ORB there does not seem to be any support for temporary AWS keys and the question does not seem to have been asked in the past on the github page.

It may be worth posting the question on the github page as that should cause a notification to whichever developer is maintaining the ORB and register the fact that the ORB is lacking a feature that is likely to become more important over time.

Can you please provide link to the orb source you checked?

Thank you for the quick response. I think we do not use this orb. Actually I think no ‘external’ orb is involved in this (probably core CircleCI functionality) to pull Docker image from ECR

Oh, I missed that.

It will be worth you raising a support ticket as the docs indicate that the docker command has the same limitation. At least that way you should receive a formal answer.

1 Like

Also can you paste that document pointing to the same limitation? Really appreciate it

The documentation never really shows that something is not possible as it goes and states that the parameter type is a Map without listing the accepted values, but you have

This shows aws_auth in examples that only show aws_access_key_id and aws_secret_access_key being used

1 Like