Config.Tips

Pull an image from Amazon ECR using OIDC

OpenID Connect(OIDC) securely connects your pipelines to AWS ECR without the need for storing long-lived secrets in CircleCI.

To get started:

  1. Set up CircleCI as a trusted identity provider in AWS
  2. Grant the CircleCI role access to ECR

Now update your config:

  1. Identify the job in your .circleci/config.yml that requires an ECR image
  2. Replace with the URI of the ECR image you want to pull This URI typically follows the format aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag
  3. Replace with the ARN of the IAM role you want to assume
  4. Save changes

The next time this job runs, CircleCI will connect to AWS via OIDC with the specified role. If you previously stored AWS credentials for this job, they can now be removed from CircleCI contexts and project variables (make sure they're not being used in other jobs first).

.circleci/config.yml
version: 2.1
jobs:
  pull_from_ecr:
    docker:
      - image: <your-image-uri>
        aws_auth:
          oidc_role_arn: <your-iam-role-arn>

Share this tip