1. Resources
  2. /
  3. Plugins
  4. /
  5. ecr-buildkite-plugin

ECR Buildkite Plugin Build status

A Buildkite plugin to login to an ECR repository before running a build step.

This will use standard AWS credentials available in the environment, or as an instance role or task role as available. These must be granted appropriate permissions for login to succeed and for push and pull to operate.

Example

This will perform a docker login to your ECR registries prior to running your step commands.

steps:
  - command: ./run_build.sh
    plugins:
      - ecr#v2.10.0: ~

If you want to log in to ECR on another account:

steps:
  - command: ./run_build.sh
    plugins:
      - ecr#v2.10.0:
          account-ids: "0015615400570"
          region: "ap-southeast-2"

If you need to assume a role to perform that login:

steps:
  - command: ./run_build.sh
    plugins:
      - ecr#v2.10.0:
          account-ids: "0015615400570"
          region: "ap-southeast-2"
          assume_role:
            role_arn: "arn:aws:iam::0015615400570:role/demo"

Using ECR Credential Helper

You can use the Amazon ECR credential helper instead of the traditional AWS CLI login methods. This provides automatic credential management and better performance through caching:

steps:
  - command: ./run_build.sh
    plugins:
      - ecr#v2.10.0:
          credential-helper: true

The credential helper works with any ECR registries you have access to, without needing to specify account IDs (though you can still specify them for explicit control):

steps:
  - command: ./run_build.sh
    plugins:
      - ecr#v2.10.0:
          credential-helper: true
          account-ids:
            - "123456789012"
            - "public.ecr.aws"

Options

login (optional)

Whether to login to your account’s ECR. Defaults to true. Set to false to disable ECR authentication.

credential-helper (optional)

Use the Amazon ECR credential helper instead of AWS CLI ECR login methods.

Requires the amazon-ecr-credential-helper binary to be installed and available in PATH.

account-ids (optional)

Either a string, or a list of strings with AWS account IDs that correspond to the Amazon ECR registries that you want to log in to. Make sure to quote these if they start with a 0.

If not specified, the plugin automatically uses your current AWS account ID (obtained via aws sts get-caller-identity).

You can use the literal public.ecr.aws as a value to authenticate against the AWS ECR Public, which hosts publicly available container images. This is useful when you need to push to or pull from public ECR repositories. Note that public ECR authentication always uses the us-east-1 region regardless of your configured region.

:warning: If you are using the Amazon ECR Credential Helper in your Docker configuration it is possible you have to add https:// to your account IDs to prevent an error (see the corresponding bug report for more information).

no-include-email (optional)

Obsolete if using AWS CLI version 1.17.10 or newer.

Add --no-include-email to ecr get-login. Required for Docker 17.06+, but needs aws-cli 1.11.91+.

region (optional)

Set a specific region for ECR, defaults to AWS_DEFAULT_REGION on the agent, or us-east-1 if none specified.

retries (optional)

Retries login after a delay N times. Defaults to 0.

assume-role (optional)

Updates AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables.

Assume an AWS IAM role before ECR login. Supports role-arn and duration-seconds (optional) per the associated AWS CLI command.

profile (optional)

Requires AWS CLI version 1.17.10 or greater.

Use a different AWS profile from the default during ECR login.

Developing

Use docker to run the Plugin Tester:

docker run --rm -ti -v "${PWD}":/plugin buildkite/plugin-tester:latest

License

MIT (see LICENSE)

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Buildkite Pipelines

Platform

  1. Pipelines
  2. Public pipelines
  3. Test Engine
  4. Package Registries
  5. Mobile Delivery Cloud
  6. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Example pipelines
  5. Plugins
  6. Webinars
  7. Case studies
  8. Events
  9. Migration Services
  10. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Security
  5. Brand assets
  6. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025