✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.1.1 ECR IAM Authentication

A focused guide to ECR IAM Authentication, connecting core concepts with practical Docker and container operations.

ECR IAM authentication uses AWS's own Identity and Access Management system to control who can push to and pull from an ECR repository, replacing a traditional standalone username and password with permissions granted through AWS's existing, broader access control infrastructure.

How IAM-Based Authentication Works for ECR

Rather than a registry-specific credential, ECR access is granted through IAM policies attached to a user, role, or service, with the AWS CLI used to obtain a temporary authentication token reflecting those permissions.

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

This command obtains a temporary token based on the currently authenticated AWS identity's actual IAM permissions, rather than any separate, registry-specific login.

Defining an IAM Policy Scoped to ECR Access

A policy can grant exactly the ECR-related permissions a given user or role actually needs, following the general principle of least privilege.

{
  "Effect": "Allow",
  "Action": [
    "ecr:GetDownloadUrlForLayer",
    "ecr:BatchGetImage",
    "ecr:BatchCheckLayerAvailability"
  ],
  "Resource": "arn:aws:ecr:us-east-1:123456789:repository/myapp"
}

A policy this narrowly scoped grants only pull-related permissions for one specific repository, without broader push or administrative access.

Why This Integrates Naturally With Other AWS Workloads

A compute service running within AWS, granted an appropriate IAM role, can pull from ECR without needing any separately managed registry credential at all, relying entirely on the role's own granted permissions.

aws sts get-caller-identity

Confirming the currently active AWS identity helps verify which specific IAM permissions are actually in effect for a given authentication attempt.

Why ECR IAM Authentication Matters

Using IAM for ECR access control means registry permissions are managed consistently alongside every other AWS resource's access control, avoiding the need for a separate, registry-specific credential system and benefiting from AWS's broader, more comprehensive access management capabilities.

Related content