How to Push a Docker Image to Amazon ECR in CI
aws-actions/amazon-ecr-login exchanges AWS credentials for a Docker login token scoped to your ECR registry.
Configure AWS credentials (ideally via OIDC), run aws-actions/amazon-ecr-login to authenticate Docker, then push to <account>.dkr.ecr.<region>.amazonaws.com/<repo>.
Steps
- Configure AWS credentials with
configure-aws-credentials(OIDC role recommended). - Run
amazon-ecr-login, which writes a Docker auth entry for the registry. - Build and push using the
registryoutput as the image prefix.
Workflow
.github/workflows/docker.yml
permissions:
id-token: write
contents: read
jobs:
push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gha-ecr
aws-region: us-east-1
- id: ecr
uses: aws-actions/amazon-ecr-login@v2
- uses: docker/build-push-action@v6
with:
push: true
tags: ${{ steps.ecr.outputs.registry }}/myapp:${{ github.sha }}Gotchas
- The ECR repository must already exist; ECR does not create it on first push.
- The ECR login token expires after 12 hours, which is fine for a single CI run.
Related guides
How to Push a Docker Image to Docker Hub in CILog in to Docker Hub in CI with a scoped access token and push a built image, avoiding anonymous pull rate li…
How to Push by Digest and Create a Manifest List in CIBuild each architecture in a separate CI job, push it by digest, then merge the digests into one multi-arch m…