Skip to content
Latchkey

How to Push a Docker Image to Amazon ECR in CI

aws-actions/amazon-ecr-login exchanges AWS credentials for a Docker login token scoped to your ECR registry.

Configure AWS credentials (ideally via OIDC), run aws-actions/amazon-ecr-login to authenticate Docker, then push to <account>.dkr.ecr.<region>.amazonaws.com/<repo>.

Steps

  • Configure AWS credentials with configure-aws-credentials (OIDC role recommended).
  • Run amazon-ecr-login, which writes a Docker auth entry for the registry.
  • Build and push using the registry output as the image prefix.

Workflow

.github/workflows/docker.yml
permissions:
  id-token: write
  contents: read
jobs:
  push:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gha-ecr
          aws-region: us-east-1
      - id: ecr
        uses: aws-actions/amazon-ecr-login@v2
      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: ${{ steps.ecr.outputs.registry }}/myapp:${{ github.sha }}

Gotchas

  • The ECR repository must already exist; ECR does not create it on first push.
  • The ECR login token expires after 12 hours, which is fine for a single CI run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →