LinuxCommandLibrary

aws-ecr

Manage Amazon Elastic Container Registry (ECR) repositories

TLDR

Authenticate Docker with the default registry (username is AWS)

$ aws ecr get-login-password --region [region] | [docker login] --username AWS --password-stdin [aws_account_id].dkr.ecr.[region].amazonaws.com
copy

Create a repository
$ aws ecr create-repository --repository-name [repository] --image-scanning-configuration scanOnPush=[true|false] --region [region]
copy

Tag a local image for ECR
$ docker tag [container_name]:[tag] [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Push an image to a repository
$ docker push [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Pull an image from a repository
$ docker pull [aws_account_id].dkr.ecr.[region].amazonaws.com/[container_name]:[tag]
copy

Delete an image from a repository
$ aws ecr batch-delete-image --repository-name [repository] --image-ids imageTag=[latest]
copy

Delete a repository
$ aws ecr delete-repository --repository-name [repository] --force
copy

List images within a repository
$ aws ecr list-images --repository-name [repository]
copy

SYNOPSIS

aws ecr [global-options] SUBCOMMAND [subcommand-options] [arguments]

PARAMETERS

--debug
    Turn on debug logging

--endpoint-url TEXT
    Override default endpoint URL

--no-verify-ssl
    Disable SSL certificate verification

--no-paginate
    Disable automatic pagination

--output TEXT
    Output format (json|text|table)

--query TEXT
    JMESPath query for response filtering

--profile TEXT
    Use specific credential profile

--region TEXT
    AWS region (e.g., us-east-1)

--version
    Display version information

--generate-cli-skeleton
    Print JSON skeleton for input

--cli-input-json TEXT
    Perform action using JSON input

--color
    Enable colored output

--no-cli-pager
    Disable CLI pager

--cli-auto-prompt
    Enable interactive prompt mode

DESCRIPTION

aws ecr is a subcommand of the AWS Command Line Interface (CLI) for interacting with Amazon Elastic Container Registry (ECR), a managed Docker container registry service.

Amazon ECR enables secure storage, management, sharing, and deployment of container images. With aws ecr, you can create/delete repositories, push/pull images, get authorization tokens for Docker login, scan images for vulnerabilities, manage lifecycle policies to automate cleanup, set repository policies, and configure cross-region replication.

Key use cases include CI/CD pipelines (e.g., with Jenkins, GitHub Actions), Kubernetes (EKS/ECS) deployments, and image vulnerability management. Operations require AWS credentials (IAM users/roles) with ECR permissions like ecr:GetAuthorizationToken.

Usage requires AWS CLI v2 recommended (install via pip install awscli or OS package manager), configured with aws configure. Supports JSON, YAML, table outputs. Pagination handled automatically unless disabled.

Examples: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ACCOUNT.dkr.ecr.us-west-2.amazonaws.com for login; aws ecr create-repository --repository-name my-repo --region us-west-2.

Integrates with IAM, VPC endpoints for private access, and supports private repositories with encryption.

CAVEATS

Requires AWS CLI installed/configured and internet access (or VPC endpoint). Not all subcommands available in every region. High-volume ops may hit throttling limits. Use IAM least-privilege policies. Docker login token expires after 12 hours.

COMMON SUBCOMMANDS

create-repository, describe-repositories, get-authorization-token, put-image, start-image-scan, set-repository-policy, delete-repository (full list via aws ecr help)

AUTHENTICATION

Use aws ecr get-login-password for Docker/ECR login. Tokens valid 12h. Requires ecr:GetAuthorizationToken permission.

HISTORY

Introduced in AWS CLI v1.7.40 (2014) with ECR public launch. Enhanced in CLI v2 (2020) for better performance/multiplexing. Subcommands expanded with features like image scanning (2019), replication (2018).

SEE ALSO

docker(1), podman(1), aws(1)

Copied to clipboard