AWS
Docker
ECR
Image Migration
DevOps

Copy docker image from one AWS ECR repo to another

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

Copying an image between Amazon ECR repositories can be done in two common ways: the familiar Docker pull-tag-push workflow, or a manifest-based copy that avoids downloading the image layers to your machine. The best choice depends on whether the source and target repositories are in the same account and region and whether you want the simplest workflow or the least network overhead.

Method 1: Pull, Tag, and Push

The most familiar method uses Docker locally.

  1. Authenticate to the source registry.
  2. Pull the source image.
  3. Tag it for the target repository.
  4. Authenticate to the target registry.
  5. Push the tagged image.

Example:

bash
1aws ecr get-login-password --region us-east-1 | \
2docker login --username AWS --password-stdin 111122223333.dkr.ecr.us-east-1.amazonaws.com
3
4docker pull 111122223333.dkr.ecr.us-east-1.amazonaws.com/source-repo:1.0.0
5
6docker tag \
7  111122223333.dkr.ecr.us-east-1.amazonaws.com/source-repo:1.0.0 \
8  111122223333.dkr.ecr.us-east-1.amazonaws.com/target-repo:1.0.0
9
10docker push 111122223333.dkr.ecr.us-east-1.amazonaws.com/target-repo:1.0.0

This works well and is easy to understand, but it transfers image layers through your local machine.

Method 2: Copy by Manifest

If you want to avoid pulling the image locally, you can fetch the image manifest from the source repository and put it into the target repository.

bash
1MANIFEST=$(aws ecr batch-get-image \
2  --repository-name source-repo \
3  --image-ids imageTag=1.0.0 \
4  --query 'images[0].imageManifest' \
5  --output text)
6
7aws ecr put-image \
8  --repository-name target-repo \
9  --image-tag 1.0.0 \
10  --image-manifest "$MANIFEST"

This is especially useful for repository-to-repository moves inside AWS, because it avoids the local pull and push cycle.

Create the Target Repository First

If the destination repository does not exist yet, create it before copying.

bash
aws ecr create-repository --repository-name target-repo

Without that, the push or manifest import will fail even if the source image exists.

Cross-Account or Cross-Region Notes

The basic logic is the same across accounts or regions, but permissions and registry endpoints change.

For cross-account moves:

  • you need permission to read from the source repo
  • you need permission to write to the target repo

For cross-region moves:

  • authenticate or call APIs against the correct region
  • tag using the target region's ECR hostname when using Docker

The manifest-copy method can still work, but you must make sure both the AWS credentials and the region settings point to the correct registries.

When to Use Which Method

Use pull-tag-push when:

  • you already work with Docker locally
  • simplicity matters more than transfer efficiency
  • you may also want to inspect or test the image locally

Use manifest copy when:

  • you want a cleaner automation flow inside AWS
  • you do not want to move layers through a local host
  • the image already exists in ECR and you just need to duplicate the reference

Verify the Result

After copying, confirm the image exists in the target repository.

bash
aws ecr describe-images --repository-name target-repo

This is a simple but important check, especially in automation pipelines where the copy step may succeed partially or write the wrong tag.

Common Pitfalls

The biggest mistake is forgetting to create the target repository before the copy.

Another issue is authenticating to the wrong registry or region. ECR endpoints are account- and region-specific, so a valid Docker login to one registry does not automatically authorize another one.

Developers also overlook the manifest-copy option and always route the image through a local pull and push, even when the image never needs to leave AWS.

Finally, make sure you copy the intended tag or digest. A repository copy process is only as reliable as the image identifier you use.

Summary

  • The simplest ECR copy workflow is pull, tag, and push with Docker.
  • A more efficient AWS-native option is to copy the image manifest with ECR APIs.
  • Create the destination repository before copying.
  • Cross-account and cross-region copies need the right permissions and endpoints.
  • Always verify the target repository after the copy completes.

Course illustration
Course illustration

All Rights Reserved.