How to Reference AWS ECR Images in Dockerfile FROM Directive: Best Practices for Private Repository Access


1 views

When working with AWS Elastic Container Registry (ECR), developers often encounter authentication challenges when trying to reference images in their Dockerfiles. The error message "repository mycompany not found: does not exist or no pull access" typically indicates one of three issues:

  1. Incorrect image URI format
  2. Missing authentication
  3. IAM permissions issues

The correct syntax for referencing an ECR image in a Dockerfile requires using the full repository URI. Here's the proper format:

FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:latest

This differs from public Docker Hub references where you can omit the registry domain. ECR requires the full path.

Before building, you must authenticate with ECR. The AWS CLI provides a helper command:

aws ecr get-login-password --region us-west-2 | docker login \
  --username AWS \
  --password-stdin 1234567890.dkr.ecr.us-west-2.amazonaws.com

This generates a temporary token valid for 12 hours. For CI/CD pipelines, consider automating this authentication.

Effective tagging helps manage images in ECR:

# Production-ready image
FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:1.2.3

# Development branch
FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:dev-branch

# By commit hash
FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:sha-abc123

Avoid using just "latest" as it makes rollbacks and debugging harder.

Ensure your IAM user/role has these essential permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ],
      "Resource": "*"
    }
  ]
}

Here's a full example demonstrating proper ECR usage:

# Dockerfile
FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:1.2.3

RUN apt-get update && apt-get install -y chef-zero

# Build command
# First authenticate, then build
aws ecr get-login-password --region us-west-2 | docker login \
  --username AWS --password-stdin 1234567890.dkr.ecr.us-west-2.amazonaws.com

docker build -t myapp .

If you still encounter issues:

  • Verify your AWS credentials are properly configured
  • Check the ECR repository exists in the specified region
  • Confirm the image tag exists in the repository
  • Validate network connectivity to ECR endpoints

When working with AWS ECR (Elastic Container Registry), many developers encounter authentication and reference issues when trying to use ECR images as base images in their Dockerfiles. The error message repository mycompany not found: does not exist or no pull access typically occurs due to incorrect image referencing.

Instead of using just the repository name, you need to specify the full ECR repository URI in your Dockerfile:

FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:latest

This format includes all necessary components:

  • AWS account ID
  • ECR domain
  • Region
  • Repository name
  • Image tag

Even with the correct FROM syntax, you'll need proper authentication. The ECR login command you used is correct, but it's better to use the newer version:

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.us-west-2.amazonaws.com

For ECR images, consider these tagging conventions:

# Semantic versioning
1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:1.2.3

# Environment specific
1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:prod-latest

# Git commit based
1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:git-a1b2c3d

Here's a full Dockerfile example that works with ECR:

# Use the full ECR repository URI
FROM 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:1.0.0

# Install additional packages
RUN apt-get update && apt-get install -y \
    chef-zero \
    && rm -rf /var/lib/apt/lists/*

# Your application setup
COPY . /app
WORKDIR /app
CMD ["python", "app.py"]

If you still encounter problems:

  1. Verify your AWS credentials have ECR permissions
  2. Check that the image exists in your ECR repository
  3. Ensure you're using the correct region in both the URI and login command
  4. Confirm your Docker client can reach ECR (network/firewall issues)

For CI/CD pipelines, you might want to automate the ECR login:

#!/bin/bash
# Get ECR login token
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.us-west-2.amazonaws.com

# Build the image
docker build -t my-app .

# Tag and push to ECR
docker tag my-app:latest 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:latest
docker push 1234567890.dkr.ecr.us-west-2.amazonaws.com/mycompany:latest