Ways to Authenticate for Pull/Push Private Container Images from AWS

There are some ways to authenticate from ECR. What I’ve known so far are, manual with docker login and another one is using credential helper.

To manually login, you could simply run these commands on your device

# this is assuming you're using the default profile or you have exported the AWS_ environment variables
aws ecr get-login-password | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com

# with a different profile
AWS_PROFILE=another aws ecr get-login-password | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com

# do docker stuff
docker pull <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version
docker push <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version

You will have short-lived (12 hours) docker credentials stored in your device. Once it’s expired, you will get a token expired error and you will need to do the same thing again.

Another way is to let a credential helper manage the token for you. First, you need to install this credential helper on your device. The credential helper will allows use to use credentials in:

• The shared credentials file (~/.aws/credentials)
• The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
• An IAM role for an Amazon ECS task
• An IAM role for Amazon EC2

After you install aws credential helper on your local device, you can update your ~/.docker/config.json with these

{
...
  "credHelpers": {
    "<AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com": "ecr-login"
  },
  "credsStore": "ecr-login",
...
}

Then you can just directly run

docker pull <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version
#
docker push <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version

And that’s it, no need to run aws ecr get-login-password every time the token is expired. ecr-login will rotate it for you.