Skip to content
Latchkey

aws-actions/amazon-ecr-login

Log in to Amazon ECR so a workflow can pull and push container images.

Official actionCategory: Cloud Auth & DeployLatest v2View on GitHub

What it does

aws-actions/amazon-ecr-login logs the Docker CLI into ECR using the AWS credentials configured earlier in the job, so build and push steps can use your ECR registry.

It outputs the registry URL to build the full image tag.

Usage

workflow (.yml)
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions
      aws-region: us-east-1
  - id: ecr
    uses: aws-actions/amazon-ecr-login@v2
  - uses: docker/build-push-action@v6
    with:
      push: true
      tags: ${{ steps.ecr.outputs.registry }}/app:latest

Inputs

InputDescriptionDefaultRequired
registriesSpecific registry IDs to log in to.defaultNo
mask-passwordMask the returned password in logs.trueNo

Outputs

OutputDescription
registryThe ECR registry URI to prefix image tags with.

Notes

This action must run after configure-aws-credentials so AWS credentials are present.

Common errors

  • no basic auth credentials on push means ecr-login did not run or AWS credentials were not configured first.
  • An access-denied error usually means the IAM role lacks ecr:GetAuthorizationToken or the push/pull permissions.

Security and pinning

  • Grant the role only the ECR permissions it needs. Keep mask-password on so the token never appears in logs.

Alternatives and related

Frequently asked questions

Why does my ECR push say no basic auth credentials?
Run amazon-ecr-login (after configure-aws-credentials) before the push, and tag the image with the registry output.
Running aws-actions/amazon-ecr-login? Run it on Latchkey managed runners - self-healing and caching included. Start free → 30-day trial · No credit card