Skip to content
Latchkey

aws ecr get-login-password: Log Docker into ECR in CI

Print a 12-hour ECR auth token to pipe into docker login.

aws ecr get-login-password outputs a temporary password (valid ~12 hours) for the ECR registry. The canonical pattern pipes it into docker login so CI can push and pull container images. It replaced the deprecated aws ecr get-login.

Common flags

  • --region - the ECR registry region (must match the registry URL)
  • | docker login --username AWS --password-stdin <acct>.dkr.ecr.<region>.amazonaws.com - the standard pipe

Example in CI

Authenticate Docker to ECR before pushing an image.

shell
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com

Common errors in CI

  • An error occurred (AccessDeniedException) - role lacks ecr:GetAuthorizationToken
  • Error saving credentials - no Docker credential helper or unwritable config
  • denied: requested access to the resource is denied - login succeeded but push needs ecr:PutImage
  • Unable to locate credentials - OIDC role not assumed before the call

Key takeaways

  • Pipe get-login-password into docker login --password-stdin to auth ECR.
  • The token needs ecr:GetAuthorizationToken; pushing additionally needs ecr:PutImage.
  • Use OIDC role auth in GitHub Actions so no static keys back the login.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →