Create AWS ECR repository if it doesn't exist

Question

How can I create an AWS ECR repository if it doesn't already exist?

score 99 · Accepted Answer · edited Jan 27 '22 at 19:54

99

One liner to create a repo if it doesn't exist (or the describe command fails for any other reason):

aws ecr describe-repositories --repository-names ${REPO_NAME} || aws ecr create-repository --repository-name ${REPO_NAME}

edited Jan 27 '22 at 19:54

Derek Greer

15,454
5
45
52

answered May 16 '19 at 14:27

James Soubry

1,142
8
4

3

This solution easily works with Jenkins pipeline configurations. – Madura Dissanayake Aug 17 '19 at 18:54
any ideas on how to implement that using cdk? – Pedreiro Jun 14 '20 at 22:17

score 23 · Answer 2 · answered Dec 11 '19 at 10:57

23

AWS makes the repository only if it doesn't exist. You can simply ignore the error & failure with
|| true in case if same repository exists:

aws ecr create-repository --repository-name <repo_name> || true

answered Dec 11 '19 at 10:57

Akif

6,018
3
41
44

2

It's unfortunate AWS ECR is designed the way it is. I believe Azure auto-creates registries as you push new images. Given AWS requires registries to be created beforehand, this seems like the best answer. As pointed out by other answers, the accepted answer suffers from the flaw that not existing isn't the only reason describe-repositories might fail, so the answer doesn't really "create ... if it doesn't exist". – Derek Greer Jan 27 '22 at 19:48

score 18 · Answer 3 · answered Nov 06 '20 at 21:28

Almost all the answers so far are calling the describe-repositories and in case of error they assume that repo didn't exists. This is wrong because there also other kind of errors that can appear (no internet connection, no permission (AccessDeniedException), wrong repo name, ...).

That means if describe-repositories call ends up with error, then we need to check if the error was RepositoryNotFoundException. Only in that case we should call the create-repository.

This is how bash code for this could look like:

output=$(aws ecr describe-repositories --repository-names ${REPO_NAME} 2>&1)

if [ $? -ne 0 ]; then
  if echo ${output} | grep -q RepositoryNotFoundException; then
    aws ecr create-repository --repository-name ${REPO_NAME}
  else
    >&2 echo ${output}
  fi
fi

Line by line explanation:

output=$(aws ecr describe-repositories --repository-names ${REPO_NAME} 2>&1) - This calls the describe-repositories and stores the output to variable named output.

if [ $? -ne 0 ]; then - this line checks if last command (aws ecs describe-repositories ...) was not successful. If exit code ($?) was not 0 (-ne 0) then we need to check what the error was. In case if was successful then there is nothing to do (successful means that repo exists already).

if echo ${output} | grep -q RepositoryNotFoundException; then - in this line we're checking if error came because repo was not existent. If yes, then we need to create the repo:

aws ecr create-repository --repository-name ${REPO_NAME} - creating the repo, we know that it didn't exists.

else - the else case means that describe-repositories throws error for other reason then not existent repo.

>&2 echo ${output} - In that case we should not try to create repo but just output error on stderr (>&2)

Your code and explanation are elegant. However, it's still unclear to me why we even need a precondition check before running the `create-repository` command and why not to call the `create-repository` command directly as I described in my answer? When it comes to catching the error (e.g. permission failure), then it would be better to also catch the error when running the `create-repository` command as well. — Akif, Jul 22 '22 at 22:27
I can tell you my case where it was not working with the direct call of `create-repository`: GitHub actions. The problem with the direct call is that you'll get an error if the repository exists. For GitHub action, this means that the action has failures and stops the workflow with failure. If you do the `describe-repositories` call upfront, you'll never run into a failure that cancels the execution, regardless of whether the repo exists or not. — Walery Strauch, Jul 23 '22 at 20:37
Additionally, the pattern `aws ecr describe-repositories ... || aws ecr create-repository ...` is not working as well on GitHub actions - it also goes into failure too. I added a new answer because any of the existing answers did not cover my particular case. — Walery Strauch, Jul 23 '22 at 20:42
This answer shows that OP has hit all edge cases and should be the accepted one imo. — Alex, Dec 05 '22 at 18:45

score 6 · Answer 4 · answered Feb 08 '19 at 18:09

You can do this, but you need to check if the repo exists first. I hacked this bash script together and it does what I need:

#!/bin/bash

aws ecr describe-repositories --repository-names $1 2>&1 > /dev/null
status=$?
if [[ ! "${status}" -eq 0 ]]; then
    aws ecr create-repository --repository-name $1
fi

The argument would be some repo name. For this to work in CodeBuild, the job will need an IAM role that permits it to create an ECR repo. If you need to get AWS CLI credentials into your code build job, have a look at this AWS Blog post:

https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild-and-hashicorp-packer/

We're doing exactly what is described in the "Create a Build Specification" to use JQ to extract AWS credentials.

score 2 · Answer 5 · answered Mar 28 '19 at 11:52

If you want this to be automated in Jenkins scripted pipeline, just use this code-snippet:

def ensureRegistry(accountId, region, repoName) {
    Logger log = new Logger(this)
    def accId = shell.output("aws --region ${region} ecr describe-repositories --repository-names \"${repoName}\" | jq .repositories[].registryId | tr -d '\"'")
    if (accId == accountId) {
        log.info("Docker repository ${repoName} exists for account ${accId}")
    } else {
        log.info("Docker repository ${repoName} doesn't exist for account ${accId}")
        shell.status("aws --region ${region} ecr create-repository --repository-name \"${repoName}\"")
        log.info("Docker repository ${repoName} was just created for account ${accId}")
    }
}

shell.groovy is:

def output(cmd) {
    sh(script: cmd, returnStdout: true)
}

def status(cmd) {
    sh(script: cmd, returnStatus: true)
}

score 1 · Answer 6 · answered Oct 17 '19 at 23:19

In addition to conditionally creating the repo, if you also want to extract the repo URI, consider this multiline bash command:

REPO_URI=$(aws ecr describe-repositories --repository-names "${REPO_NAME}" --query "repositories[0].repositoryUri" --output text 2>/dev/null || \
           aws ecr create-repository --repository-name "${REPO_NAME}"  --query "repository.repositoryUri" --output text)

The repo URI can be useful for the tag and push operations.

Partial credit: answer by JS

score 0 · Answer 7 · answered May 02 '20 at 20:17

export ECR_REPO=`aws ecr describe-repositories --repository-names $REPO_NAME 2>/dev/null | jq .repositories[0].repositoryUri | tr -d \\\" && aws ecr create-repository --repository-name $REPO_NAME --region us-east-1 2>/dev/null | jq .repository.repositoryUri | tr -d \\\"`

This works in a buildspec.yml file for always grabbing the repo name and storing it in the ECR_REPO var. It will create the repo or fail silently if it already exists. It will grab the repo name if it does exist or fail silently if it does not.

score 0 · Answer 8 · edited Oct 01 '20 at 20:25

To check the whether ECR repository exist or not, you can use double. First check the describe the repositories if not exists then create repository always use tags this helps in auditing.

- aws ecr describe-repositories --repository-names ${ECRImage} || aws ecr create-repository --repository-name ${ECRImage} --tags Key=Domain,Value=$Domain Key=AppEnv,Value=$AppEnv Key=ApplicationCI,Value=$ApplicationCI Key=Owner,Value=$Owner Key=Requester,Value=$Requester Key=CostCenter,Value=$CostCenter

Create AWS ECR repository if it doesn't exist

8 Answers8

Linked