AWS ECR with Gradle

AWS Elastic Container Registry is a registry service for Docker images. It supports the Docker API for registries and therefore can be used with docker pull, docker push, etc. It also works with Gradle plugins such as gradle-docker-plugin.

The authentication mechanism proves to be a challenge though. ECR requires a temporary token to be obtained using IAM credentials in order to use the registry. This doesn’t work well for CI tools because the token has a 24-hour expiry. It is also cumbersome for developer use to request a new token every 24 hours.


One solution is to use a Gradle plugin that will manage the ECR token, requesting it using AWS credentials. This post describes the use of the gradle-aws-ecr-plugin that will manage ECR tokens for you.

The plugin uses the AWS SDK for Java. This means it will use the ~/.aws/credentials file if available. Environment variables or Java system properties may also be used.

IAM Policy

As of this writing, I could not find a security policy to attach to a group or user to allow read/write access to ECR. You can use the following inline policy, but note this allows all access. A discussion of security around ECR is out of the scope of this writing, but you may want to look into restricting this to only allowing read/write to your repositories.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1461121381000",
            "Effect": "Allow",
            "Action": [
            "Resource": [


Using the plugin is straightforward. You will need both the gradle-docker-plugin and gradle-aws-ecr-plugin.

plugins {
  id "com.bmuschko.docker-remote-api" version "3.0.6"
  id "com.patdouble.awsecr" version "0.3.2"

Then set the Docker registry to your ECR URL. The URL is given by the AWS ECR console. Note that this clause is defined by the gradle-docker-plugin. Neither username nor password should be set, the gradle-aws-ecr-plugin will handle that.

docker {
    registryCredentials {
        url # ''

AWS Credential Store

The plugin uses the AWS SDK to get credentials by default, read for details. We’ll provide snippets here of how it works.

$ aws configure
AWS Access Key ID [None]: accesskey
AWS Secret Access Key [None]: secretkey
Default region name [None]: us-west-2
Default output format [None]:
$ ./gradlew  ...

Environment Variables

Most CI tools use environment variables for configuration. You can do this for your AWS credentials. Make sure your CI tool obfuscates the secret in logs and other displays.

$ export AWS*ACCESS_KEY*ID=accesskey
$ export AWS*SECRET_ACCESS*KEY=secretkey
$ ./gradlew  ...

System Properties

You can pass system properties to Gradle. Remember that command lines, including arguments, can generally be seen with system tools available to regular users. This is likely only useful for local testing.

$ ./gradlew -Daws.accessKeyId=accesskey -Daws.secretKey=secretkey ...

Gradle Configuration

In addition to the AWS SDK, the plugin will also take credentials as project properties.

$ ./gradlew -PawsAccessKeyId=accesskey -PawsSecretAccessKey=secretkey ...

Docker Tasks

All Docker tasks such as DockerPullImage, DockerPushImage, etc. that are configured with the ECR registry URL will get a temporary ECR token. No further configuration is necessary. It is possible to set the registry URL for individual tasks. For those tasks with a registry that is not ECR, the username and password will not be set with an ECR token.


AWS ECR is a good private registry. Following the AWS pricing model, billing is per use for storage and data. However, the temporary tokens are a challenge that is neatly solved with the gradle-aws-ecr-plugin.

If you’d like to contribute to the plugin, either by filing bugs or enhancements, or a PR, see


Leave a Reply

Your email address will not be published. Required fields are marked *