Creating a private repository - Amazon ECR

Creating a private repository

Your container images are stored in Amazon ECR repositories. Use the following steps to create a private repository.

To create a repository (AWS Management Console)

  1. Open the Amazon ECR console at

  2. From the navigation bar, choose the Region to create your repository in.

  3. In the navigation pane, choose Repositories.

  4. On the Repositories page, choose Create repository.

  5. For Repository name, enter a unique name for your repository. The repository name can be specified on its own (for example nginx-web-app). Alternatively, it can be prepended with a namespace to group the repository into a category (for example project-a/nginx-web-app).


    The name must start with a letter and can only contain lowercase letters, numbers, hyphens (-), underscores (_), and forward slashes (/).

  6. For Tag immutability, choose the tag mutability setting for the repository. Repositories configured with immutable tags prevent image tags from being overwritten. For more information, see Image tag mutability.

  7. For Scan on push, choose the image scanning setting for the repository. Repositories that are configured to scan on push start an image scan whenever an image is pushed. If you want to start an image scan at a different time, you need to manually start the image scans. For more information, see Image scanning.

  8. For KMS encryption, choose whether to enable encryption of the images in the repository using AWS Key Management Service. By default, when KMS encryption is enabled, Amazon ECR uses an AWS managed key (KMS key) with the alias aws/ecr. This key is created in your account the first time that you create a repository with KMS encryption enabled. For more information, see Encryption at rest.

  9. When KMS encryption is enabled, select Customer encryption settings (advanced) to choose your own KMS key. The KMS key must be in the same Region as the cluster. Choose Create an AWS KMS key to navigate to the AWS KMS console to create your own key.

  10. Choose Create repository.

  11. (Optional) Select the repository that you created and choose View push commands to view the steps to push an image to your new repository.

    1. Run the login command that authenticates your Docker client to your registry by using the command from the console in a terminal window. This command provides an authorization token that is valid for 12 hours.

    2. (Optional) If you have a Dockerfile for the image to push, build the image and tag it for your new repository. Using the docker build command from the console in a terminal window. Make sure that you are in the same directory as your Dockerfile.

    3. Tag the image with your Amazon ECR registry URI and your new repository by pasting the docker tag command from the console into a terminal window. The console command assumes that your image was built from a Dockerfile in the previous step. If you did not build your image from a Dockerfile, replace the first instance of repository:latest with the image ID or image name of your local image to push.

    4. Push the newly tagged image to your repository by using the docker push command in a terminal window.

    5. Choose Close.