Cross account ECR permissions issues

[scottillogical]

Hey folks I tried to switch is from the docker-image resource to oci-build-task and registry image, but we weren't able to get the ECR support working.

Our current setup is we have ECR running in another account (root) and currently we rely on ec2 node roles to allow concourse access to ECR.
Is the only way to get this working currently is to create a new access key that we would then need to rotate or is there a way to use node roles? I tried configuring the role arns using the latest release and was not able to resolve the authentication errors from ECR. Perhaps I am just doing it wrong?

Describe the solution you'd like

A way to use node roles like docker-image resource for ECR cross account access

[MattSurabian]

I was able to get this working by setting this parameter

registry-image-resource/types.go

Line 64 in 0c15319

AWSECRRegistryId string `json:"aws_ecr_registry_id,omitempty"`

as implemented here #253.

The documentation is sparse on this, but it can be used in the resource definition (the quotes around it are REQUIRED):

- icon: docker
  name: my-repo
  source:
    aws_ecr_registry_id: "123456789012"
    aws_region: us-east-1
    repository: my-repo
  type: registry-image

This without any role arns set seems to work as expected. With the resource assuming the role of the underlying EC2 instance and operating on an ECR located in another account.