When using CCI Server, we have more freedom regarding Nomad builders, so we give the builder instances permissions to download any and all of our ECR images.
What we would like is for the Docker executor the freedom to use those ECR images without any credentials passed either via project environment variables or contexts.
However currently the CircleCI configuration is preventing us from doing that as it always requires an
aws_access_key_id
and
aws_secret_access_key
Ex.
docker:
- image: our_ecr_image:latest
aws_auth:
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
Can we get a setting which will use the Nomad builder instance profile instead?
docker:
- image: our_ecr_image:latest
aws_auth:
use_instance_profile: true
The AWS SDK uses any and all possible credential sources, so in theory if no credentials are passed it should use the Instance Metadata to authorize unless you intentionally block that.
Thanks
Igor Serko, Lyst Ltd