Dashboard
AWS ECR › Overview
Registry Endpoint
ECR Registry URL
Active Region
ap-southeast-1
Asia Pacific (Singapore)
Token Validity
12h
ECR auth token lifetime
Docker Login
Ready
Commands pre-generated

Quick Configuration

Required to generate commands
Configure your AWS Account ID and settings below. All commands are generated locally — no credentials are sent to any server.
12-digit AWS account number
Must be exactly 12 digits
Detecting...
Named profile from ~/.aws/credentials
ECR repository name for commands
Docker image tag
Local Docker image name to tag/push
ECR Login
Authenticate Docker to ECR registry
Push & Pull
Tag, push, and pull Docker images
Full Workflow
Complete bash script end-to-end
Manage Repos
Create, list, delete repositories
IAM Policies
Permissions and access control
CI/CD
GitHub Actions, GitLab, Jenkins
The ECR auth token is valid for 12 hours. Run the login command before each session or add it to your CI/CD pipeline.

Docker Login to ECR

AWS CLI
Primary Login Command
bash / zsh / sh
$Configure AWS Account ID first in Dashboard
This pipes the authentication token directly into docker login without exposing it in your terminal history.
Step-by-step (separate commands)
Step 1 — Get Token
#Store token in variable
$Configure AWS Account ID first
Step 2 — Docker Login
$Configure AWS Account ID first
Verify Login Success
Check ~/.docker/config.json
$cat ~/.docker/config.json | grep amazonaws

Prerequisites Checklist

  • AWS CLI v2 installed (aws --version)
  • AWS credentials configured (aws configure)
  • Docker installed and daemon running
  • IAM user/role with ECR permissions
  • ECR repository must exist before push
Verify AWS CLI
Check prerequisites
$aws --version && docker --version && aws sts get-caller-identity

Tag Image

$Configure settings first

Push Image

$Configure settings first

Pull Image

$Configure settings first

Build & Push (Combined)

$Configure settings first

Push Flow

1
Build Local Image
Build your Docker image locally with docker build
2
Authenticate to ECR
Run ECR login command to get a 12-hour auth token
3
Tag the Image
Tag your local image with the full ECR registry path
4
Push to ECR
Upload the image layers to your ECR repository
Make sure the repository exists in ECR before pushing. Create it first via Manage Repos.
Lifecycle policies automate the cleanup of old images to reduce storage costs. Policies are evaluated daily.
Keep only the last 10 tagged images
AWS CLI — put-lifecycle-policy
$aws ecr put-lifecycle-policy --repository-name <repo> --region ap-southeast-1 --lifecycle-policy-text '{"rules":[{"rulePriority":1,"description":"Keep last 10 images","selection":{"tagStatus":"tagged","tagPrefixList":["v"],"countType":"imageCountMoreThan","countNumber":10},"action":{"type":"expire"}}]}'
Policy JSON
{ "rules": [ { "rulePriority": 1, "description": "Keep last 10 tagged images", "selection": { "tagStatus": "tagged", "tagPrefixList": ["v"], "countType": "imageCountMoreThan", "countNumber": 10 }, "action": { "type": "expire" } } ] }
Expire images older than 30 days
{ "rules": [ { "rulePriority": 1, "description": "Expire images older than 30 days", "selection": { "tagStatus": "any", "countType": "sinceImagePushed", "countUnit": "days", "countNumber": 30 }, "action": { "type": "expire" } } ] }
Remove all untagged images immediately
{ "rules": [ { "rulePriority": 1, "description": "Remove untagged images", "selection": { "tagStatus": "untagged", "countType": "imageCountMoreThan", "countNumber": 0 }, "action": { "type": "expire" } } ] }
Combined: Remove untagged + keep last 5 tagged
{ "rules": [ { "rulePriority": 1, "description": "Remove untagged images older than 1 day", "selection": { "tagStatus": "untagged", "countType": "sinceImagePushed", "countUnit": "days", "countNumber": 1 }, "action": { "type": "expire" } }, { "rulePriority": 2, "description": "Keep only last 5 production images", "selection": { "tagStatus": "tagged", "tagPrefixList": ["prod-", "release-"], "countType": "imageCountMoreThan", "countNumber": 5 }, "action": { "type": "expire" } } ] }

Complete Bash Workflow Script

Bash 
Configure AWS Account ID in Dashboard first to generate workflow script.

Docker Compose Push Workflow

Configure settings first
List all repositories
aws ecr describe-repositories
$Configure AWS Account ID first
List repos — JSON output (for scripting)
JSON format
$Configure AWS Account ID first
Create repository with scan-on-push enabled
aws ecr create-repository
$Configure settings first
Create with immutable tags (recommended for production)
Immutable tags
$Configure settings first
Deleting a repository permanently removes ALL images inside it. This action cannot be undone.
Delete repository (with force — removes all images)
aws ecr delete-repository
$Configure settings first
Allow cross-account pull access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCrossAccountPull", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }
Apply repository policy
aws ecr set-repository-policy
$Configure settings first
List all images in a repository
describe-images
$Configure settings first
List only untagged images
filter untagged
$Configure settings first
Deleting image digests is permanent. Consider using lifecycle policies for automated cleanup.
Delete image by tag
batch-delete-image
$Configure settings first
Delete ALL untagged images (cleanup)
bulk delete untagged
$Configure settings first
Re-tag an image without pulling (ECR native)
put-image
$Configure settings first
Save image to tar.gz file
docker save
$Configure settings first
Load image from tar.gz file
docker load
$Configure settings first
ECR image scanning uses the Common Vulnerabilities and Exposures (CVE) database. Enable scan-on-push for automatic security analysis.
Enable scan-on-push for a repository
put-image-scanning-configuration
$Configure settings first
Manually trigger image scan
start-image-scan
$Configure settings first
Get scan findings for an image
describe-image-scan-findings
$Configure settings first
IAM Policy — Push & Pull Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRAuthToken", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" }, { "Sid": "ECRPushPull", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:DescribeRepositories", "ecr:DescribeImages", "ecr:ListImages" ], "Resource": "arn:aws:ecr:ap-southeast-1:ACCOUNT_ID:repository/*" } ] }
IAM Policy — Pull Only (Read-Only)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRAuthToken", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" }, { "Sid": "ECRPullOnly", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:DescribeImages", "ecr:ListImages" ], "Resource": "arn:aws:ecr:ap-southeast-1:ACCOUNT_ID:repository/*" } ] }
IAM Policy — Full Admin Access
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRFullAccess", "Effect": "Allow", "Action": "ecr:*", "Resource": "*" } ] }
IAM Policy — CI/CD Pipeline Role (GitHub Actions / GitLab)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRLogin", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" }, { "Sid": "ECRBuildPush", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:CreateRepository", "ecr:TagResource" ], "Resource": "arn:aws:ecr:ap-southeast-1:ACCOUNT_ID:repository/*" } ] }
GitHub Actions Workflow — Build & Push to ECR
.github/workflows/ecr-push.yml
name: Build and Push to ECR

on:
  push:
    branches: [main]

env:
  AWS_REGION: ap-southeast-1
  ECR_REPOSITORY: my-app

jobs:
  build-push:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ecr-role
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Build, tag, and push image
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          IMAGE_TAG: ${{ github.sha }}
        run: |
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
GitLab CI/CD — .gitlab-ci.yml
.gitlab-ci.yml
variables:
  AWS_REGION: ap-southeast-1
  ECR_REPO: my-app
  IMAGE_TAG: $CI_COMMIT_SHORT_SHA

stages:
  - build
  - push

build-and-push:
  stage: push
  image: docker:24-dind
  services:
    - docker:24-dind
  variables:
    DOCKER_TLS_CERTDIR: "/certs"
  before_script:
    - apk add --no-cache aws-cli
    - aws ecr get-login-password --region $AWS_REGION |
        docker login --username AWS --password-stdin
        $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
  script:
    - docker build -t $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPO:$IMAGE_TAG .
    - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPO:$IMAGE_TAG
  only:
    - main
Jenkinsfile — Declarative Pipeline
Jenkinsfile
pipeline {
  agent any
  environment {
    AWS_REGION = 'ap-southeast-1'
    ECR_REPO   = 'my-app'
    REGISTRY   = "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
  }
  stages {
    stage('ECR Login') {
      steps {
        withAWS(region: "${AWS_REGION}", credentials: 'aws-credentials') {
          sh '''
            aws ecr get-login-password --region $AWS_REGION |
            docker login --username AWS --password-stdin $REGISTRY
          '''
        }
      }
    }
    stage('Build') {
      steps {
        sh 'docker build -t $ECR_REPO:$BUILD_NUMBER .'
      }
    }
    stage('Push') {
      steps {
        sh '''
          docker tag $ECR_REPO:$BUILD_NUMBER $REGISTRY/$ECR_REPO:$BUILD_NUMBER
          docker push $REGISTRY/$ECR_REPO:$BUILD_NUMBER
        '''
      }
    }
  }
}
Bitbucket Pipelines — bitbucket-pipelines.yml
bitbucket-pipelines.yml
image: atlassian/default-image:4

pipelines:
  branches:
    main:
      - step:
          name: Build and Push to ECR
          services:
            - docker
          script:
            - pipe: atlassian/aws-ecr-push-image:2.2.0
              variables:
                AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
                AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
                AWS_DEFAULT_REGION: 'ap-southeast-1'
                IMAGE_NAME: 'my-app'

Panel Preferences

Show Command Prompts
Display $ prompt before commands
Auto-copy on Click
Click any command to copy it
Include Comments in Scripts
Add explanatory comments to workflow

About

AWS ECR Management Panel

A comprehensive CLI command generator for Amazon Elastic Container Registry.

  • All commands generated client-side
  • No credentials stored or transmitted
  • Supports all AWS regions
  • AWS CLI v2 compatible
  • Docker Engine compatible
Region: ap-southeast-1 (Singapore)