AWS CLI
ECR
list-images
newest image
DevOps

AWS CLI ECR list-images, get newest

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

Getting the newest image from ECR with AWS CLI is easiest with describe-images, not list-images. list-images returns identifiers but no push timestamps, so it cannot determine recency by itself. Use timestamp fields from describe-images, sort, and extract the latest tag or digest.

Why list-images Is Not Enough

list-images is lightweight and useful for inventory, but it omits imagePushedAt. To get newest image reliably, query image details and sort by push time.

bash
aws ecr list-images   --repository-name my-repo   --region us-east-1

The result includes tags and digests only. Without push timestamps, newest selection is ambiguous.

Get Latest Tag with describe-images

Use JMESPath sorting on imagePushedAt and pick the last item.

bash
aws ecr describe-images   --repository-name my-repo   --region us-east-1   --query "sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]"   --output text

If images can have multiple tags, you may prefer digest output for stability.

bash
aws ecr describe-images   --repository-name my-repo   --region us-east-1   --query "sort_by(imageDetails,& imagePushedAt)[-1].imageDigest"   --output text

Digest-based deployments avoid tag mutation issues.

Filter by Tagged Images and Handle Untagged Entries

Repositories often contain untagged images from CI cleanup policies. Filter results so your query targets deployable images only.

bash
aws ecr describe-images   --repository-name my-repo   --filter tagStatus=TAGGED   --region us-east-1   --query "sort_by(imageDetails,& imagePushedAt)[-1].[imagePushedAt,imageTags[0],imageDigest]"   --output table

This output is useful for audit logs and release scripts.

Pagination and Automation Safety

For large repositories, CLI pagination may return partial data if not handled carefully. In automation, keep default pagination enabled or explicitly loop pages via SDK. Also fail fast when no images exist.

bash
1LATEST_TAG=$(aws ecr describe-images   --repository-name my-repo   --filter tagStatus=TAGGED   --query "sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]"   --output text)
2
3if [ "$LATEST_TAG" = "None" ] || [ -z "$LATEST_TAG" ]; then
4  echo "No tagged images found" >&2
5  exit 1
6fi
7
8echo "Latest tag: $LATEST_TAG"

This pattern keeps deployment scripts deterministic and debuggable.

CI Pipeline Integration Pattern

In deployment pipelines, retrieve newest digest and pass it explicitly to infrastructure steps instead of relying on mutable tags. This makes rollbacks reproducible and audit trails clearer. A common pattern is writing digest output to environment files consumed by later stages.

bash
1LATEST_DIGEST=$(aws ecr describe-images   --repository-name my-repo   --filter tagStatus=TAGGED   --query "sort_by(imageDetails,& imagePushedAt)[-1].imageDigest"   --output text)
2
3if [ "$LATEST_DIGEST" = "None" ] || [ -z "$LATEST_DIGEST" ]; then
4  echo "No digest found" >&2
5  exit 1
6fi
7
8echo "IMAGE_DIGEST=$LATEST_DIGEST" >> "$GITHUB_ENV"

If multiple tags can point to one digest, emit both digest and chosen tag in logs for traceability. Also include registry URI and region so cross-account automation stays explicit.

Time-based Filtering for Release Windows

Some teams deploy only images pushed after a cutoff timestamp. You can combine CLI queries with shell filters, but SDK scripts are safer for complex logic. Keep timezone handling explicit and normalize to UTC.

bash
aws ecr describe-images   --repository-name my-repo   --filter tagStatus=TAGGED   --query "sort_by(imageDetails,& imagePushedAt)[].[imagePushedAt,imageDigest,imageTags[0]]"   --output text

Review this output in incident response to confirm exactly which artifact was selected.

For cross-account registries, ensure your role session has explicit ECR read permissions in target account and region. Many newest-image failures in CI are permission or region mismatches rather than query errors. Always log account ID and region at runtime for faster triage.

Common Pitfalls

  • Using list-images and expecting push time metadata.
  • Assuming tag order equals push order.
  • Deploying latest mutable tag instead of immutable digest.
  • Ignoring untagged images and getting unexpected query results.
  • Skipping empty-repository checks in CI pipelines.

Summary

  • Use describe-images to access imagePushedAt and choose newest artifacts.
  • Sort by timestamp and select tag or digest based on deployment policy.
  • Filter TAGGED images for predictable output.
  • Add safeguards for empty repositories and scripting errors.
  • Prefer digests when reproducibility matters.

Course illustration
Course illustration

All Rights Reserved.