The self hosted Bitbucket Pipelines runner can be configured to pull images from ECR, which may involved a call out to the AWS STS service (e.g if trying to pull images using OIDC). When the runner is inside of a private VPC, using VPC endpoints to allow traffic to ECR and STS, the Runner fails trying to pull images.
Due to default behaviour of the AWS java sdk (https://github.com/aws/aws-sdk-java/issues/2362) , the AWS STS client will always try to use global endpoints despite being configured to use a region. Global endpoints are not accessible from a private VPC (since traffic is restricted out to the public internet). For this to work, the AWS STS client must instead use the regional endpoint.
- Push an image into a private ECR registry.
- Configure the necessary IAM and OIDC config to allow the image to be pulled by a Bitbucket Pipelines self hosted Runner.
- Launch a self hosted runner into a private VPC, with private endpoints configured to allow traffic to STS and ECR.
- Run a step that tries to pull an image using OIDC from ECR. The call made to STS to generate credentials to pull the image will fail due to a connection reset error, since the AWS client attempts to talk to STS over the public internet, for which traffic is blocked.
The step should complete successfully.
The step will fail with a connection reset error talking to STS.
Users can allow access from their VPC out to the global STS endpoint. This is not ideal, as it requires from traffic to flow from the private VPC out to the public internet.