Is there a way to do pre: or similar at the docker: stage? for ECR?



I’d like to run the ECR login command and extract the username/password. Then I could use the normal private docker image settings on the docker: section. Is there a way to do something like that?

I.d like to do this:

  - image: acme-private/private-image:321
      username: aws-ecr-user  # extracted from ECR login command 
      password: aws-ecr-password  # also extracted from ECR login command


I have a similar issue:

Don’t know a solution yet


See my answer to the other thread:


Support for ECR in CircleCI 2.0 is on the roadmap.

@fvanderwerf Do you have a working example of that with a config.yml?


I would like to do this too. It seems a very basic functionality. Can someone post a working config.yml for this please? Presumably it includes a shell script to make the ecr-credential-helper work but guidance much appreciated.


Hello, I got this working with the following config.yml. It’s perhaps a bit messy so let me know if there’s a better way, but it works because the appropriate password is returned as the sixth argument returned by the aws-credential-helper (i.e. the “f” character), and the username as the fourth (i.e. the “d” character):

version: 2
      - image: $AWS_ACCOUNT_ID.dkr.ecr.$$AWS_ECS_REPOSITORY_NAME:latest
          username: $(read a b c d e f g <<<$(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) ; echo "$d";)
          password: $(read a b c d e f g <<<$(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) ; echo "$f";)


@aidanrussell This is a genius workaround! Thanks a lot for this :thumbsup:


@aidanrussell The fact that you got that workaround to work is… incredible. Props.

We’ve launched official support for authenticating to ECR now:


@FelicianoTech Hooray! Much cleaner :relaxed:


can we still use dynamic values as in AIDANRUSSELL’s solution? I have two ECR repos. A development and a production. So my key/secret will be different depending on which branch I am pushing. How can we make the key/secret dynamic?


Take a look at the docs. I think the best way to do what you want, keeping things “official”, is to use a different job for each environment. Then, you can use a different set of environment variables for your AWS creds.


That seems extremely inefficient and redundant. So we’d have to completely duplicate the job just to use different keys?


With YAML anchors, yes. Or do what you asked if you could keep doing. Just giving you another option.