Skip to content

Registry identities for AWS ECR authentication#243

Open
crazy-max wants to merge 3 commits into
mainfrom
registry-identities
Open

Registry identities for AWS ECR authentication#243
crazy-max wants to merge 3 commits into
mainfrom
registry-identities

Conversation

@crazy-max

Copy link
Copy Markdown
Member

relates to #146

This adds a registry-identities input to the reusable build.yml and bake.yml workflows so callers can authenticate to registries through keyless identity metadata instead of passing static registry credentials. The first supported provider is AWS ECR through GitHub OIDC and aws-actions/configure-aws-credentials, followed by docker/login-action using ambient AWS credentials.

This introduces a shared setup-registry-identities.yml reusable workflow that parses the YAML input before build work starts. The build and bake workflows call that parser, configure AWS credentials when an aws-ecr identity is present, and then run a separate docker/login-action step with generated ECR registry-auth entries. Existing registry-auths secrets continue to work through a separate login step, so secret-based auth and identity-based auth are not merged into the same YAML payload.

The aws-ecr identity currently accepts one registry identity with aws-region, role-to-assume, and registry. Callers pass the exact ECR registry server that should be used for Docker login, such as 175142243308.dkr.ecr.us-east-2.amazonaws.com for private ECR or public.ecr.aws for public ECR.

The goal is to let callers move AWS ECR authentication away from long-lived static credentials while keeping the provider-specific auth steps pinned and controlled inside GitHub Builder.

crazy-max added 3 commits July 3, 2026 14:55
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the registry-identities branch from 495131c to 505d6c1 Compare July 3, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant