Log into registry in another account in different region under a self-hosted environment

I’m in a situation where I need to authenticate to an ECR registry in a different account and region than where the self-hosted runner is running in. This is part of an internal project of migrating AWS accounts but still needing to access resources within the account we’re moving away from.

A self-hosted runner in Account A (in region us-west-2) contains a IAM instance profile that allows it to assume a role in Account B to push images to the ECR registry (in region us-east-1), amongst many other things.

I can successfully assume the role in Account B using aws-actions/configure-aws-credentials@v1, but since the region input is for the initial client, aws-actions/amazon-ecr-login implicitly inherits it when it authenticates to ECR. I need it to use a different region.

At first I thought I could modify the region in it’s own step:

# there is a step prior that assumes the role
# ....
- name: Set AWS region to us-east-1
  run: aws configure set default.region us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

But it didn’t work. This Github Action still authenticated to the ECR registry in the us-west-2 region.

Then I thought to run AWS ECR commands directly to specify the region:

# there is a step prior that assumes the role
# ....
- name: Login to Account B ECR
  run: |
    aws ecr get-login-password --region $ACCT_B_REGION | \
    docker login --username AWS --password-stdin $ACCT_B_ECR_REGISTRY
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This works but it replaces this convenient Github Action. It would be nice, despite it being very uncommon, if I could just provide this Github Action the region I need to authenticate into. This approach also stores the credentials unencrypted- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Another approach I took is using aws-actions/configure-aws-credentials@v1 again to use the temporary assumed-role credentials (set to environment variables in a previous step) to set the region for subsequent steps.

# there is a step prior that assumes the role
# ....
- name: Configure temp AWS credentials for ECR login
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
    aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
    aws-region: us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
   run: |
     docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
     docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This worked but adds another step to the job.

So, is there a simpler way to do this than what I’ve done above? Is there a simpler way to modify the region before running this Github Action? If not, could we add a region input to this Github Action. I can work on this if this is something desired.