Elastic Container Registry (ECR)

General information about Elastic Container Registry

Overview

Amazon Elastic Container Registry (ECR) is an AWS managed container image registry service for hosting Docker images, Open Container Initiative (OCI) images and OCI compatible artifacts.

Registry Configuration

URIs

public.ecr.aws/<random_value_set_by_admin>/<name>              # public repo URI
<accountId>.dkr.ecr.<region>.amazonaws.com/<repo_name>         # private repo URI

Permissions

Configured with either IAM Policy or ECR Resource Policy.

Look for misconfigured policies that allow Private repositories to be exposed! This allows all AWS principals in the world the ability to interact with this Private repository.

aws --region us-east-1 ecr get-repository-policy --repository-name tyler/my-private-registry --query policyText --output text | jq
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}

Replication

Private repositories support both cross-region and cross-account replication.

Useful CLI Commands

aws ecr-public  # public repos
aws ecr         # private repos

Requires ecr:GetAuthorizationToken

Latest Method

REPO_URI=$(aws --region <region> ecr describe-repositories | jq -r '.repositories[].repositoryUri') \
aws ecr get-login-password --region <region> | \
docker login --username AWS --password-stdin $REPO_URI

Legacy Method

REGISTRY=$(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].proxyEndpoint' --output text) \
PASSWORD=$(echo $(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].authorizationToken' --output text) | base64 --decode | cut -d: -f2) \
echo "$PASSWORD" | docker login --username AWS --password-stdin "$REGISTRY"

Login Succeeded

Describe Repositories

aws ecr describe-repositories

{
    "repositories": [
        {
            "repositoryArn": "arn:aws:ecr:us-east-1:111111111111:repository/tyler/my-private-registry",
            "registryId": "111111111111",
            "repositoryName": "tyler/my-private-registry",
            "repositoryUri": "111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry",
            "createdAt": "2025-08-02T11:55:14.300000-06:00",
            "imageTagMutability": "MUTABLE",
            "imageScanningConfiguration": {
                "scanOnPush": false
            },
            "encryptionConfiguration": {
                "encryptionType": "AES256"
            }
        }
    ]
}

List Available Images

REPO_NAME=$(aws ecr describe-repositories | jq -r '.repositories[].repositoryName') \
aws list-images --repository-name $REPO_NAME

Push Image to Repository

You specify the Registry/Repository path i.e., 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry

Then the tag of the image you want to upload i.e., ubuntu-latest

docker tag ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

PreviousAWS General Info NextAmazon Bedrock

Last updated 4 months ago

Was this helpful?

Overview

Registry Configuration

URIs

Permissions

Replication

Useful CLI Commands

Login to Registry

Latest Method

Legacy Method

Describe Repositories

List Available Images

Push Image to Repository