Skip to content
Latchkey

aws ecr get-login-password: Docker Login & CI Errors

Authenticate Docker to Amazon ECR with a short-lived token.

aws ecr get-login-password prints a temporary password you pipe into docker login to authenticate against an ECR registry. It replaces the deprecated aws ecr get-login and is the standard ECR auth step in CI.

What it does

The command returns a 12-hour authorization token for ECR. You pipe it to docker login with the username AWS and your registry host (<account>.dkr.ecr.<region>.amazonaws.com). After that, docker push/pull to that registry works until the token expires.

Common usage

Terminal
# Authenticate Docker to ECR (the canonical one-liner)
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS \
      --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com

# Then push an image
docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

Common error in CI: region mismatch / not authorized to perform ecr:GetAuthorizationToken

Login fails with "denied: Your authorization token has expired" or "not authorized to perform: ecr:GetAuthorizationToken", and pushes fail with "no basic auth credentials" when the registry host region does not match --region. Fix: the --region in get-login-password must match the region in the registry hostname, and the CI role needs ecr:GetAuthorizationToken (account-level) plus ecr:BatchCheckLayerAvailability / PutImage / InitiateLayerUpload on the repo. Re-run get-login-password if a long job outlives the 12h token.

Key options

OptionPurpose
--regionMust match the registry hostname region
--registry-idsAuth to another account’s registry
| docker login --password-stdinPipe the token securely (no history)

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →