LinuxCommandLibrary

aws-ecr

Manage Amazon Elastic Container Registry (ECR) repositories

TLDR

Authenticate Docker with the default registry (username is AWS)

$ aws ecr get-login-password --region [region] | [docker login] --username AWS --password-stdin [aws_account_id].dkr.ecr.[region].amazonaws.com
copy

Create a repository
$ aws ecr create-repository --repository-name [repository] --image-scanning-configuration scanOnPush=[true|false] --region [region]
copy

Tag a local image for ECR
$ docker tag [container_name]:[tag] [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Push an image to a repository
$ docker push [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Pull an image from a repository
$ docker pull [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Delete an image from a repository
$ aws ecr batch-delete-image --repository-name [repository] --image-ids imageTag=[latest]
copy

Delete a repository
$ aws ecr delete-repository --repository-name [repository] --force
copy

List images within a repository
$ aws ecr list-images --repository-name [repository]
copy

SYNOPSIS

The aws ecr command is a subcommand of the main aws CLI tool. Its general synopsis is:

aws ecr command [options]

Where command represents an ECR specific action (e.g., create-repository, get-login-password, list-images), and options are parameters specific to that ECR subcommand, or global AWS CLI options.

PARAMETERS

--region
    Specifies the AWS region to send the request to (e.g., us-east-1).

--output
    Specifies the output format (e.g., json, text, table) for the command's response.

--profile
    Specifies the named profile to use from your AWS credentials file.

--cli-input-json
    Reads arguments from a JSON string provided as a value or file path.

--endpoint-url
    Specifies the endpoint URL to use for the ECR service.

--no-verify-ssl
    Disables SSL certificate verification for the request.

--debug
    Turn on debug logging, providing detailed request/response information.


    Each aws ecr subcommand has its own set of specific parameters (e.g., --repository-name for create-repository, --image-ids for batch-delete-image).

DESCRIPTION

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. The aws ecr command line interface (as part of the aws CLI) allows users to programmatically interact with ECR.

It provides functionalities such as creating and managing repositories, pushing and pulling images, setting repository policies, and managing lifecycle rules. aws ecr integrates seamlessly with other AWS services like ECS, EKS, Fargate, and Lambda, enabling a streamlined container workflow from development to production. Users leverage aws ecr to automate container image management tasks, secure image storage, and enforce access controls within the AWS ecosystem.

CAVEATS

  • Authentication and Permissions: Requires valid AWS credentials configured via aws configure or environment variables. The IAM user/role must have appropriate ECR permissions to perform desired actions.
  • Region Specificity: ECR repositories are region-specific. Ensure the correct --region is used or configured, as operations in one region will not affect repositories in another.
  • Docker Integration: Pushing/pulling images requires Docker installed and correctly configured to authenticate with ECR. This typically involves using aws ecr get-login-password to obtain a temporary Docker login token.
  • Image Lifecycle Management: While powerful, setting up ECR lifecycle policies (e.g., for automated image cleanup) requires careful planning and testing to avoid unintended deletion of critical images.

DOCKER LOGIN WORKFLOW

To push or pull images from an ECR repository, your Docker client needs to be authenticated. The standard and recommended approach is to use the aws ecr get-login-password command to retrieve a temporary authorization token, which is then piped to Docker's login command:

aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <your-account-id>.dkr.ecr.<your-region>.amazonaws.com

This command provides a secure, short-lived credential for Docker.

COMMON ECR SUBCOMMANDS

Some frequently used aws ecr subcommands include:

  • create-repository: Creates a new ECR repository.
  • describe-repositories: Lists and describes existing ECR repositories.
  • list-images: Lists images within a specified repository.
  • delete-repository: Deletes an ECR repository (can be forced to delete non-empty repos).
  • batch-delete-image: Deletes one or more images from a repository by image digest or tag.
  • put-image: Uploads a manifest for a Docker image.
  • put-lifecycle-policy: Creates or updates the lifecycle policy for a repository.

HISTORY

Amazon Elastic Container Registry (ECR) was launched by AWS in December 2015, providing a fully managed Docker container registry service. The aws ecr command-line interface became an integral part of the AWS CLI tool, allowing developers to manage ECR resources programmatically. The AWS CLI itself has been under continuous development since its initial release, with ecr commands evolving alongside new ECR features like image scanning, pull-through caching, and cross-region replication. Its robust set of commands makes it indispensable for automating container image workflows in CI/CD pipelines on AWS.

SEE ALSO

aws(1): The main AWS Command Line Interface tool., aws configure(1): Used to configure AWS credentials and default settings., docker(1): Docker command-line utility for building, tagging, pushing, and pulling container images., docker login(1): Authenticate Docker client to a private registry., aws sts get-caller-identity(1): Verify the current AWS identity and account being used.

Copied to clipboard