aws-actions/amazon-ecr-login
Log in to Amazon ECR so a workflow can pull and push container images.
What it does
aws-actions/amazon-ecr-login logs the Docker CLI into ECR using the AWS credentials configured earlier in the job, so build and push steps can use your ECR registry.
It outputs the registry URL to build the full image tag.
Usage
workflow (.yml)
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/github-actions
aws-region: us-east-1
- id: ecr
uses: aws-actions/amazon-ecr-login@v2
- uses: docker/build-push-action@v6
with:
push: true
tags: ${{ steps.ecr.outputs.registry }}/app:latestInputs
| Input | Description | Default | Required |
|---|---|---|---|
registries | Specific registry IDs to log in to. | default | No |
mask-password | Mask the returned password in logs. | true | No |
Outputs
| Output | Description |
|---|---|
registry | The ECR registry URI to prefix image tags with. |
Notes
This action must run after configure-aws-credentials so AWS credentials are present.
Common errors
no basic auth credentialson push means ecr-login did not run or AWS credentials were not configured first.- An access-denied error usually means the IAM role lacks
ecr:GetAuthorizationTokenor the push/pull permissions.
Security and pinning
- Grant the role only the ECR permissions it needs. Keep
mask-passwordon so the token never appears in logs.
Alternatives and related
aws-actions/configure-aws-credentialsAuthenticate to AWS in a workflow, ideally by assuming a role with OIDC (no stored keys).
docker/login-actionLog in to Docker Hub, GHCR, ECR, or any registry before pushing an image.
Frequently asked questions
Why does my ECR push say no basic auth credentials?
Run amazon-ecr-login (after configure-aws-credentials) before the push, and tag the image with the
registry output.