Pull images from AWS ECR on AWS EC2 without using docker login but using EC2 Instance role and ECR repository permissions

Expected behavior

docker should pull image from AWS ECR on AWS EC2 instance with AWS EC2 role/policy and permission to all resources on aws ecr repository.

Actual behavior

Not able to pull image
getting is “unauthorized: authentication required”.

Additional Information

Steps to reproduce the behavior

  1. Assign AmazonEC2ContainerRegistryReadOnly policy to a role and the role to EC2 instance.
  2. Use below policy document to add permission to AWS ECR repository.

“Version”: “2008-10-17”,
“Statement”: [
“Sid”: “new policy”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: [

Let me know if this is possible.

I’m researching the same issue, did you get an answer for that? did you figure it out?


In order to configure it I did the following:

  1. Configured IAM role as described here: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-tasks-pull-images-ecr-repository/

  2. Attached IAM role to my EC2 instance.

  3. Installed amazon-ecr-credential-helper.

  4. Created ~/.docker/config.json (https://github.com/awslabs/amazon-ecr-credential-helper#Configuration)