✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.1 Amazon ECR

A focused guide to Amazon ECR, connecting core concepts with practical Docker and container operations.

Amazon ECR (Elastic Container Registry) is AWS's own managed container registry service, providing tightly integrated image storage for workloads deployed on AWS, with authentication and access control built directly on top of AWS's existing identity and access management infrastructure.

Creating an ECR Repository

A repository within ECR is created explicitly before images can be pushed to it.

aws ecr create-repository --repository-name myapp
Authenticating With ECR

Rather than a traditional username and password, ECR authentication uses a temporary token obtained through the AWS CLI, tied to the authenticated AWS identity making the request.

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

This temporary token expires after a relatively short period, requiring this authentication step to be repeated periodically rather than relying on a single, long-lived credential.

Pushing an Image to ECR

Once authenticated, pushing follows the same pattern as any other registry, using ECR's specific repository URI.

docker tag myapp:1.0 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:1.0
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:1.0
Why ECR Integrates Naturally With Other AWS Services

Services like ECS or EKS, when deployed within the same AWS account, can pull from ECR using the same underlying AWS identity and access management, without needing a separate, manually managed registry credential.

aws ecs update-service --cluster my-cluster --service my-service --force-new-deployment

A deployment like this can pull directly from ECR using permissions already granted through AWS IAM, without any additional registry-specific authentication step.

Why Amazon ECR Matters

For workloads deployed on AWS, ECR's tight integration with AWS's existing identity, access management, and compute services typically provides a more seamless registry experience than configuring and authenticating with an external registry separately.

Content in this section

Related content