I’m trying to access my ECR repositories from agents hosted on my EKS cluster using agent-stack-k8s.
I tried using ecr-buildkite-plugin and setting assume-role argument that has the policy to access the ECR repositories, but I’m still getting “Unable to locate credentials. You can configure credentials by running aws configure. Error: running “plugin ecr-buildkite-plugin environment” shell hook: The plugin ecr-buildkite-plugin environment hook exited with status 253”
I also tried using assume-role-with-web-identity plugin but realized that it’s not compatible with agent-stack-k8s.
What’s the best practice to gain access to my ECR repositories in this case?
Thanks for reaching out. The reason why assume-role-with-web-identity plugin is not compatible with agent-stack-k8s is because k8s stack doesn’t possess aws CLI binary out of the box. In your scenario, the best practice to gain access to your ECR is to create your own custom image with the Buildkite agent and AWS CLI. Once you’ve done that, you can leverage the assume-role-with-web-identity plugin with ecr-buildkite-plugin plugin to achieve your use case.
Hope that helps. Let us know if you have any further questions.