aws ecr get-login-password: Log Docker into ECR in CI
Print a 12-hour ECR auth token to pipe into docker login.
aws ecr get-login-password outputs a temporary password (valid ~12 hours) for the ECR registry. The canonical pattern pipes it into docker login so CI can push and pull container images. It replaced the deprecated aws ecr get-login.
Common flags
--region- the ECR registry region (must match the registry URL)| docker login --username AWS --password-stdin <acct>.dkr.ecr.<region>.amazonaws.com- the standard pipe
Example in CI
Authenticate Docker to ECR before pushing an image.
shell
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.comCommon errors in CI
- An error occurred (AccessDeniedException) - role lacks ecr:GetAuthorizationToken
- Error saving credentials - no Docker credential helper or unwritable config
- denied: requested access to the resource is denied - login succeeded but push needs ecr:PutImage
- Unable to locate credentials - OIDC role not assumed before the call
Key takeaways
- Pipe get-login-password into docker login --password-stdin to auth ECR.
- The token needs ecr:GetAuthorizationToken; pushing additionally needs ecr:PutImage.
- Use OIDC role auth in GitHub Actions so no static keys back the login.
Related guides
aws ecr describe-repositories: Inspect ECR Repos in CIaws ecr describe-repositories lists ECR repositories and their URIs. Learn the repository-names and query fla…
aws ecs update-service: Deploy to ECS in CIaws ecs update-service triggers a new ECS deployment with an updated task definition. Learn the force-new-dep…
aws sts get-caller-identity: Verify AWS Auth in CIaws sts get-caller-identity returns the account, user, and ARN for the current credentials. Use it to verify…