Copy docker image from one AWS ECR repo to another
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Copying an image between Amazon ECR repositories can be done in two common ways: the familiar Docker pull-tag-push workflow, or a manifest-based copy that avoids downloading the image layers to your machine. The best choice depends on whether the source and target repositories are in the same account and region and whether you want the simplest workflow or the least network overhead.
Method 1: Pull, Tag, and Push
The most familiar method uses Docker locally.
- Authenticate to the source registry.
- Pull the source image.
- Tag it for the target repository.
- Authenticate to the target registry.
- Push the tagged image.
Example:
This works well and is easy to understand, but it transfers image layers through your local machine.
Method 2: Copy by Manifest
If you want to avoid pulling the image locally, you can fetch the image manifest from the source repository and put it into the target repository.
This is especially useful for repository-to-repository moves inside AWS, because it avoids the local pull and push cycle.
Create the Target Repository First
If the destination repository does not exist yet, create it before copying.
Without that, the push or manifest import will fail even if the source image exists.
Cross-Account or Cross-Region Notes
The basic logic is the same across accounts or regions, but permissions and registry endpoints change.
For cross-account moves:
- you need permission to read from the source repo
- you need permission to write to the target repo
For cross-region moves:
- authenticate or call APIs against the correct region
- tag using the target region's ECR hostname when using Docker
The manifest-copy method can still work, but you must make sure both the AWS credentials and the region settings point to the correct registries.
When to Use Which Method
Use pull-tag-push when:
- you already work with Docker locally
- simplicity matters more than transfer efficiency
- you may also want to inspect or test the image locally
Use manifest copy when:
- you want a cleaner automation flow inside AWS
- you do not want to move layers through a local host
- the image already exists in ECR and you just need to duplicate the reference
Verify the Result
After copying, confirm the image exists in the target repository.
This is a simple but important check, especially in automation pipelines where the copy step may succeed partially or write the wrong tag.
Common Pitfalls
The biggest mistake is forgetting to create the target repository before the copy.
Another issue is authenticating to the wrong registry or region. ECR endpoints are account- and region-specific, so a valid Docker login to one registry does not automatically authorize another one.
Developers also overlook the manifest-copy option and always route the image through a local pull and push, even when the image never needs to leave AWS.
Finally, make sure you copy the intended tag or digest. A repository copy process is only as reliable as the image identifier you use.
Summary
- The simplest ECR copy workflow is pull, tag, and push with Docker.
- A more efficient AWS-native option is to copy the image manifest with ECR APIs.
- Create the destination repository before copying.
- Cross-account and cross-region copies need the right permissions and endpoints.
- Always verify the target repository after the copy completes.

