Amazon ECR Registries
You can use Amazon ECR registries to host your images in a highly available and scalable architecture, allowing you to deploy containers reliably for your applications. You can use your registry to manage image repositories and Docker images. Each AWS account is provided with a single (default) Amazon ECR registry.
The URL for your default registry is
By default, you have read and write access to the repositories and images you create in your default registry.
You must authenticate your Docker client to a registry so that you can use the docker push and docker pull commands to push and pull images to and from the repositories in that registry. For more information, see Registry Authentication.
Repositories can be controlled with both IAM user access policies and repository policies.
You can use the AWS Management Console, the AWS CLI, or the AWS SDKs to create and manage repositories, and to perform some actions on images, such as listing or deleting them. These clients use standard AWS authentication methods. Although technically you can use the Amazon ECR API to push and pull images, you are much more likely to use Docker CLI (or a language-specific Docker library) for these purposes.
Because the Docker CLI does not support the standard AWS authentication methods, you
must authenticate your Docker client another way so that Amazon ECR knows who is requesting
to push or pull an image. If you are using the Docker CLI, then use the docker
login command to authenticate to an Amazon ECR registry with an authorization
token that is provided by Amazon ECR and is valid for 12 hours. The GetAuthorizationToken API
operation provides a base64-encoded authorization token that contains a user name
AWS) and a password that you can decode and use in a
docker login command. However, a much simpler
get-login command (which retrieves the token, decodes it, and
converts it to a docker login command for you) is available in the
To authenticate Docker to an Amazon ECR registry with get-login
The get-login command is available in the AWS CLI starting with version 1.9.15. You can check your AWS CLI version with the aws --version command.
Run the aws ecr get-login command. The example below is for the default registry associated with the account making the request. To access other account registries, use the
--registry-idsoption. For more information, see get-login in the AWS Command Line Interface Reference.
aws ecr get-login
The resulting output is a docker login command that you use to authenticate your Docker client to your Amazon ECR registry.Copy
docker login -u AWS -p
password-e none https://
Copy and paste the docker login command into a terminal to authenticate your Docker CLI to the registry. This command provides an authorization token that is valid for the specified registry for 12 hours.
If you are using Windows PowerShell, copying and pasting long strings like this will not work. Use the following command instead:Copy
Invoke-Expression -Command (aws ecr get-login)
When you execute this docker login command, the command string can be visible by other users on your system in a process list (ps -e) display. Because the docker login command contains authentication credentials, there is a risk that other users on your system could view them this way and use them to gain push and pull access to your repositories. If you are not on a secure system, you should consider this risk and log in interactively by omitting the
-poption, and then entering the password when prompted.