AWS CLI ECR list-images, get newest
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Getting the newest image from ECR with AWS CLI is easiest with describe-images, not list-images. list-images returns identifiers but no push timestamps, so it cannot determine recency by itself. Use timestamp fields from describe-images, sort, and extract the latest tag or digest.
Why list-images Is Not Enough
list-images is lightweight and useful for inventory, but it omits imagePushedAt. To get newest image reliably, query image details and sort by push time.
The result includes tags and digests only. Without push timestamps, newest selection is ambiguous.
Get Latest Tag with describe-images
Use JMESPath sorting on imagePushedAt and pick the last item.
If images can have multiple tags, you may prefer digest output for stability.
Digest-based deployments avoid tag mutation issues.
Filter by Tagged Images and Handle Untagged Entries
Repositories often contain untagged images from CI cleanup policies. Filter results so your query targets deployable images only.
This output is useful for audit logs and release scripts.
Pagination and Automation Safety
For large repositories, CLI pagination may return partial data if not handled carefully. In automation, keep default pagination enabled or explicitly loop pages via SDK. Also fail fast when no images exist.
This pattern keeps deployment scripts deterministic and debuggable.
CI Pipeline Integration Pattern
In deployment pipelines, retrieve newest digest and pass it explicitly to infrastructure steps instead of relying on mutable tags. This makes rollbacks reproducible and audit trails clearer. A common pattern is writing digest output to environment files consumed by later stages.
If multiple tags can point to one digest, emit both digest and chosen tag in logs for traceability. Also include registry URI and region so cross-account automation stays explicit.
Time-based Filtering for Release Windows
Some teams deploy only images pushed after a cutoff timestamp. You can combine CLI queries with shell filters, but SDK scripts are safer for complex logic. Keep timezone handling explicit and normalize to UTC.
Review this output in incident response to confirm exactly which artifact was selected.
For cross-account registries, ensure your role session has explicit ECR read permissions in target account and region. Many newest-image failures in CI are permission or region mismatches rather than query errors. Always log account ID and region at runtime for faster triage.
Common Pitfalls
- Using
list-imagesand expecting push time metadata. - Assuming tag order equals push order.
- Deploying latest mutable tag instead of immutable digest.
- Ignoring untagged images and getting unexpected query results.
- Skipping empty-repository checks in CI pipelines.
Summary
- Use
describe-imagesto accessimagePushedAtand choose newest artifacts. - Sort by timestamp and select tag or digest based on deployment policy.
- Filter
TAGGEDimages for predictable output. - Add safeguards for empty repositories and scripting errors.
- Prefer digests when reproducibility matters.

