The Amazon implementation of a Docker Registry automatically generates the docker login command with a call to the aws API. The credentials that it generates expire making them impractical to mine from the command for a normal bitbucket-pipelines.yml file. As far as I can tell, there is no way to set Amazon to do it differently, so if we could specify AWS credentials as follows:

#!yaml

image:
    name: <aws-ecr-image>
    aws_login:
        access_key_id: <access_key_id>
        secret_access_key: <secret_access_key>
        region: <region>

Then Pipelines could generate a file at ~/.aws/credentials that looks like this:

#!ini

[default]
aws_access_key_id = <access_key_id>
aws_secret_access_key = <secret_access_key>

Then make the following AWS call to get the credentials and login:

#!bash

eval $(aws ecr get-login --region <region>)

It could then proceed to download the Docker image and continue normally.

Alternatively, the values could be settings on the server side to avoid sharing all that information in a file in source control.