amazon web services - Using different aws credentials in Bitbucket pipeline

Question

I've a bitbucket pipeline that must have multiple aws credentials for different duties.

In the first lines, I have custom ECR image. To pull it, I created an AWS user for only ECR read only permissions. access-key and secret-key parameters are the keys of that user.

And in this ECR image, I embedded another AWS user's credentials to do the rest of the work (image push etc). But somehow, the credentials that I used for pulling base image running in steps too. Because of this situation, image push is being denied.

I tried to use export AWS_PROFILE=deployment but it doesn't help.

Is the credentials for base image pull being applied pipeline-wide?

And how can I overcome with this situation?

Thank you.

image: 
name: <ECR Image>
  aws:  
    access-key: $AWS_ACCESS_KEY_ID 
    secret-key: $AWS_SECRET_ACCESS_KEY

pipelines:   
  - step: 
      name: "Image Build & Push" 
      services: 
        -docker 
        script: 
         - export AWS_PROFILE=deployment
         - export ENVIRONMENT=beta 
         - echo "Environment is ${ENVIRONMENT}" 
         - export DOCKER_IMAGE_BUILDER="${BITBUCKET_REPO_SLUG}:builder" 
         - make clean 
         - make build BUILD_VER=${BITBUCKET_TAG}.${BITBUCKET_BUILD_NUMBER}   APP_NAME=${BITBUCKET_REPO_SLUG}  
    DOCKER_IMAGE_BUILDER=${DOCKER_IMAGE_BUILDER} 
         - make test
         - docker tag ....
         - docker push .....

Answer 1

What I would do here instead of baking credentials inside the images:

Use one credential for pulling/pushing/taggin the image, why not use the same for pushing the image.

If that is something you don't wanna do:

Create an IAM role and give that permission to tag/push the images and assume this role from the earlier credentials being exported, No need to bake credentials in the images.

I found the following example in the documentation

    script:

    # build the image
    - docker build -t my-docker-image .

    # use the pipe to push to AWS ECR
    - pipe: atlassian/aws-ecr-push-image:1.2.2
        variables:
        AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
        AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
        AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
        IMAGE_NAME: my-docker-image
        TAGS: '${BITBUCKET_TAG} latest'G