Pull an image from Amazon ECR using OIDC
OpenID Connect(OIDC) securely connects your pipelines to AWS ECR without the need for storing long-lived secrets in CircleCI.
To get started:
Now update your config:
- Identify the job in your .circleci/config.yml that requires an ECR image
with the URI of the ECR image you want to pull This URI typically follows the format aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag
with the ARN of the IAM role you want to assume
- Save changes
The next time this job runs, CircleCI will connect to AWS via OIDC with the specified role. If you previously stored AWS credentials for this job, they can now be removed from CircleCI contexts and project variables (make sure they're not being used in other jobs first).
version: 2.1 jobs: pull_from_ecr: docker: - image: <your-image-uri> aws_auth: oidc_role_arn: <your-iam-role-arn>