# Amazon ECR private repositories
An Amazon ECR private repository contains your Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. You can create, monitor, and delete image repositories and set permissions that control who can access them by using Amazon ECR API operations or the **Repositories** section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you can push and pull images from your development environments to your repositories.
**Topics**
+ [
## Private repository concepts
](#repository-concepts)
+ [
# Creating an Amazon ECR private repository to store images
](repository-create.md)
+ [
# Viewing the contents and details of a private repository in Amazon ECR
](repository-info.md)
+ [
# Deleting a private repository in Amazon ECR
](repository-delete.md)
+ [
# Private repository policies in Amazon ECR
](repository-policies.md)
+ [
# Tagging a private repository in Amazon ECR
](ecr-using-tags.md)
## Private repository concepts
+ By default, your account has read and write access to the repositories in your default registry (`aws_account_id.dkr.ecr.region.amazonaws.com`). However, users require permissions to make calls to the Amazon ECR APIs and to push or pull images to and from your repositories. Amazon ECR provides several managed policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md).
+ Repositories can be controlled with both user access policies and individual repository policies. For more information, see [Private repository policies in Amazon ECR](repository-policies.md).
+ Repository names can support namespaces, which you can use to group similar repositories. For example, if there are several teams using the same registry, Team A can use the `team-a` namespace, and Team B can use the `team-b` namespace. By doing this, each team has their own image called `web-app` with each image prefaced with the team namespace. This configuration allows these images on each team to be used simultaneously without interference. Team A's image is `team-a/web-app`, and Team B's image is `team-b/web-app`.
+ Your images can be replicated to other repositories across Regions in your own registry and across accounts. You can do this by specifying a replication configuration in your registry settings. For more information, see [Private registry settings in Amazon ECR](registry-settings.md).
+ When blob mounting is enabled at the registry level, repositories can share common image layers.
# Creating an Amazon ECR private repository to store images
**Important**
Dual-layer server-side encryption with AWS KMS (DSSE-KMS) is only available in the AWS GovCloud (US) Regions.
Create an Amazon ECR private repository, and then use the repository to store your container images. Use the following steps to create a private repository using the AWS Management Console.
**To create a repository (AWS Management Console)**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region to create your repository in.
1. Choose **Private repositories**, and then choose **Create repository**.
1. For **Repository name**, enter a unique name for your repository. The repository name can be specified on its own (for example `nginx-web-app`). Alternatively, it can be prepended with a namespace to group the repository into a category (for example `project-a/nginx-web-app`).
**Note**
The repository name may container a maximum of `256` characters. The name must start with a letter and can only contain lowercase letters, numbers, hyphens, underscores, periods and forward slashes. Using a double forward slash isn't supported.
1. For **Image tag immutability**, choose one of the following tag mutability settings for the repository.
+ **Mutable** – Choose this option if you want image tags to be overwritten. Recommended for repositories using pull through cache actions to ensure Amazon ECR can update cached images. Additionally, to disable tag updates for a few mutable tags, enter tag names or use wildcards (\$1) to match multiple similar tags in the **Mutable tag exclusion** text box.
+ **Immutable** – Choose this option if you want to prevent image tags from being overwritten, and it applies to all tags and exclusions in the repository when pushing an image with existing tag. Amazon ECR returns an `ImageTagAlreadyExistsException` if you attempt to push an image with an existing tag. Additionally, to enable tag updates for a few immutable tags, enter tag names or use wildcards (\$1) to match multiple similar tags in the **Immutable tag exclusion** text box.
**Note**
Individual tag mutability settings aren't supported.
1. For ** Encryption configuration**, choose between **AES-256** or ** AWS KMS**. For more information, see [Encryption at rest](encryption-at-rest.md).
1. If AWS KMS is chosen, choose between Single-layer encryption and Dual-layer encryption. There are additional charges for using AWS KMS or Dual-layer encryption. For more information, see [Amazon ECR Service Pricing](https://aws.amazon.com/ecr/pricing/).
1. By default, AWS managed key with the alias `aws/ecr` is chosen. This key is created in your account the first time that you create a repository with AWS KMS encryption enabled. Select ** Customer managed key (advanced)** to choose your own AWS KMS key. The AWS KMS key must be in the same Region as the cluster. Select **Create an AWS KMS key** to navigate to the AWS KMS console to create your own key.
1. For **Image scanning settings**, while you can specify the scan settings at the repository level for basic scanning, it is a best practice to specify the scan configuration at the private registry level. Configuring the scanning settings at the private registry level enables you to choose between enhanced scanning or basic scanning, and also allows you to define filters to specify which repositories should be scanned.
1. Choose **Create**.
**To create a repository (AWS CLI)**
1. You can create a repository using the AWS CLI with the **aws ecr create-repository** command.
```
aws ecr create-repository \
--repository-name hello-repository \
--region region
```
1. If you have a repository creation template defined, you can create a repository by pushing your image using familiar Amazon ECR push commands with your desired repository name. Amazon ECR will automatically create the repository for you using the predefined settings of your repository creation template. If you do not have a repository creation template defined yet, your request to your nonexistent image repository will fail.
```
docker push aws_account_id.dkr.ecr.region.amazonaws.com/prefix/my-new-repository:tag
```
## Next steps
To view the steps to push an image to your repository, select the repository and choose **View push commands**. For more information about pushing an image to your repository, see [Pushing an image to an Amazon ECR private repository](image-push.md).
# Viewing the contents and details of a private repository in Amazon ECR
After you created a private repository, you can view details about the repository in the AWS Management Console:
+ Which images are stored in a repository
+ Details about each image stored in the repository, including the size and SHA digest for each image
+ The scan frequency specified for the contents of the repository
+ Whether the repository has an active pull through cache rule associated with it
+ The encryption setting for the repository
**Note**
Starting with Docker version 1.9, the Docker client compresses image layers before pushing them to a V2 Docker registry. The output of the **docker images** command shows the uncompressed image size. Therefore, keep in mind that Docker might return a larger image than the image shown in the AWS Management Console.
**To view repository information (AWS Management Console)**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that contains the repository to view.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, choose the **Private** tab and then the repository to view.
1. On the repository detail page, the console defaults to the **Images** view. Use the navigation menu to view other information about the repository.
+ Choose **Summary** to view the repository details and pull count data for the repository.
+ Choose **Images** to view information about the image tags in the repository. To view more information about the image, select the image tag. For more information, see [Viewing image details in Amazon ECR](image-info.md).
If there are untagged images that you want to delete, you can select the box to the left of the repositories to delete and choose **Delete**. For more information, see [Deleting an image in Amazon ECR](delete_image.md).
+ Choose **Permissions** to view the repository policies that are applied to the repository. For more information, see [Private repository policies in Amazon ECR](repository-policies.md).
+ Choose **Lifecycle Policy** to view the lifecycle policy rules that are applied to the repository. The lifecycle events history is also viewed here. For more information, see [Automate the cleanup of images by using lifecycle policies in Amazon ECR](LifecyclePolicies.md).
+ Choose **Tags** to view the metadata tags that are applied to the repository.
# Deleting a private repository in Amazon ECR
If you're finished using a repository, you can delete it. When you delete a repository in the AWS Management Console, all of the images contained in the repository are also deleted; this cannot be undone.
**Important**
Images in the deleted repositories are also deleted. You cannot undo this operation.
**To delete a repository (AWS Management Console)**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that contains the repository to delete.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, choose the **Private** tab and then select the repository to delete and choose **Delete**.
1. In the **Delete *repository\$1name*** window, verify that the selected repositories should be deleted and choose **Delete**.
# Private repository policies in Amazon ECR
Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which users or roles have access to a repository and what actions they can perform on the repository. By default, only the AWS account that created the repository has access to the repository. You can apply a repository policy that allows additional access to your repository.
**Topics**
+ [
## Repository policies vs IAM policies
](#repository-policy-vs-iam-policy)
+ [
# Private repository policy examples in Amazon ECR
](repository-policy-examples.md)
+ [
# Setting a private repository policy statement in Amazon ECR
](set-repository-policy.md)
## Repository policies vs IAM policies
Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories. IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well.
Both Amazon ECR repository policies and IAM policies are used when determining which actions a specific user or role may perform on a repository. If a user or role is allowed to perform an action through a repository policy but is denied permission through an IAM policy (or vice versa) then the action will be denied. A user or role only needs to be allowed permission for an action through either a repository policy or an IAM policy but not both for the action to be allowed.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md).
You can use either of these policy types to control access to your repositories, as shown in the following examples.
This example shows an Amazon ECR repository policy, which allows for a specific user to describe the repository and the images within the repository.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ECRRepositoryPolicy",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/username"},
"Action": [
"ecr:DescribeImages",
"ecr:DescribeRepositories"
],
"Resource": "*"
}
]
}
```
------
This example shows an IAM policy that achieves the same goal as above, by scoping the policy to a repository (specified by the full ARN of the repository) using the resource parameter. For more information about Amazon Resource Name (ARN) format, see [Resources](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-resources).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeRepoImage",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:DescribeRepositories"
],
"Resource": ["arn:aws:ecr:us-east-1:111122223333:repository/repository-name"]
}
]
}
```
------
# Private repository policy examples in Amazon ECR
**Important**
The repository policy examples on this page are meant to be applied to Amazon ECR private repositories. They will not work properly if used with an IAM principal directly unless modified to specify the Amazon ECR repository as the resource. For more information on setting repository policies, see [Setting a private repository policy statement in Amazon ECR](set-repository-policy.md).
Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories. IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well. For more information, see [Repository policies vs IAM policies](repository-policies.md#repository-policy-vs-iam-policy).
The following repository policy examples show permission statements that you could use to control access to your Amazon ECR private repositories.
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md).
## Example: Allow one or more users
The following repository policy allows one or more users to push and pull images to and from a repository.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/push-pull-user-1",
"arn:aws:iam::111122223333:user/push-pull-user-2"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
]
}
```
------
## Example: Allow another account
The following repository policy allows a specific account to push images.
**Important**
The account you are granting permissions to must have the Region you are creating the repository policy in enabled, otherwise an error will occur.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
]
}
```
------
The following repository policy allows some users to pull images (*pull-user-1* and *pull-user-2*) while providing full access to another (*admin-user*).
**Note**
For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/pull-user-1",
"arn:aws:iam::111122223333:user/pull-user-2"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/admin-user"
},
"Action": [
"ecr:*"
],
"Resource": "*"
}
]
}
```
------
## Example: Deny all
The following repository policy denies all users in all accounts the ability to pull images.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyPull",
"Effect": "Deny",
"Principal": "*",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
}
]
}
```
------
## Example: Restricting access to specific IP addresses
The following example denies permissions to any user to perform any Amazon ECR operations when applied to a repository from a specific range of addresses.
The condition in this statement identifies the `54.240.143.*` range of allowed Internet Protocol version 4 (IPv4) IP addresses.
The `Condition` block uses the `NotIpAddress` conditions and the `aws:SourceIp` condition key, which is an AWS-wide condition key. For more information about these condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). The `aws:sourceIp` IPv4 values use the standard CIDR notation. For more information, see [IP Address Condition Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IPAddress) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "ECRPolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "ecr:*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "54.240.143.0/24"
}
}
}
]
}
```
------
## Example: Allow an AWS service
The following repository policy allows AWS CodeBuild access to the Amazon ECR API actions necessary for integration with that service. When using the following example, you should use the `aws:SourceArn` and `aws:SourceAccount` condition keys to scope which resources can assume these permissions. For more information, see [Amazon ECR sample for CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html) in the *AWS CodeBuild User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"CodeBuildAccess",
"Effect":"Allow",
"Principal":{
"Service":"codebuild.amazonaws.com"
},
"Action":[
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:codebuild:us-east-1:123456789012:project/project-name"
},
"StringEquals":{
"aws:SourceAccount":"123456789012"
}
}
}
]
}
```
------
# Setting a private repository policy statement in Amazon ECR
You can add an access policy statement to a repository in the AWS Management Console by following the steps below. You can add multiple policy statements per repository. For example policies, see [Private repository policy examples in Amazon ECR](repository-policy-examples.md).
**Important**
Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed IAM policies to control user access at varying levels. For more information, see [Amazon Elastic Container Registry Identity-based policy examples](security_iam_id-based-policy-examples.md).
**To set a repository policy statement**
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/repositories](https://console.aws.amazon.com/ecr/repositories).
1. From the navigation bar, choose the Region that contains the repository to set a policy statement on.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, choose the repository to set a policy statement on to view the contents of the repository.
1. From the repository image list view, in the navigation pane, choose **Permissions**, **Edit**.
**Note**
If you don't see the **Permissions** option in the navigation pane, ensure that you are in the repository image list view.
1. On the **Edit permissions** page, choose **Add statement**.
1. For **Statement name**, enter a name for the statement.
1. For **Effect**, choose whether the policy statement will result in an allow or an explicit deny.
1. For **Principal**, choose the scope to apply the policy statement to. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
+ You can apply the statement to all authenticated AWS users by selecting the **Everyone (\$1)** check box.
+ For **Service principal**, specify the service principal name (for example, `ecs.amazonaws.com`) to apply the statement to a specific service.
+ For **AWS Account IDs**, specify an AWS account number (for example, `111122223333`) to apply the statement to all users under a specific AWS account. Multiple accounts can be specified by using a comma delimited list.
**Important**
The account you are granting permissions to must have the Region you are creating the repository policy in enabled, otherwise an error will occur.
+ For **IAM Entities**, select the roles or users under your AWS account to apply the statement to.
**Note**
For more complicated repository policies that are not currently supported in the AWS Management Console, you can apply the policy with the [https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html](https://docs.aws.amazon.com/cli/latest/reference/ecr/set-repository-policy.html) AWS CLI command.
1. For **Actions**, choose the scope of the Amazon ECR API operations that the policy statement should apply to from the list of individual API operations.
1. When you are finished, choose **Save** to set the policy.
1. Repeat the previous step for each repository policy to add.
# Tagging a private repository in Amazon ECR
To help you manage your Amazon ECR repositories, you can assign your own metadata to new or existing Amazon ECR repositories by using AWS resource *tags*. For example, you could define a set of tags for your account's Amazon ECR repositories that helps you track the owner of each repository.
## Tag basics
Tags don't have any semantic meaning to Amazon ECR and are interpreted strictly as a string of characters. Tags are not automatically assigned to your resources. You can edit tag keys and values, and you can remove tags from a resource at any time. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. If you delete a resource, any tags for the resource are also deleted.
You can work with tags using the Amazon ECR console, the AWS CLI, and the Amazon ECR API.
Using AWS Identity and Access Management (IAM), you can control which users in your AWS account have permission to create, edit, or delete tags. For information about tags in IAM policies, see [Using Tag-Based Access Control](ecr-supported-iam-actions-tagging.md).
## Tagging your resources for billing
The tags you add to your Amazon ECR repositories are helpful when reviewing cost allocation after enabling them in your Cost & Usage Report. For more information, see [Amazon ECR usage reports](usage-reports.md).
To see the cost of your combined resources, you can organize your billing information based on resources that have the same tag key values. For example, you can tag several resources with a specific application name, and then organize your billing information to see the total cost of that application across several services. For more information about setting up a cost allocation report with tags, see [The Monthly Cost Allocation Report](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/configurecostallocreport.html) in the *AWS Billing User Guide*.
**Note**
If you've just enabled reporting, data for the current month is available for viewing after 24 hours.
# Adding tags to a private repository in Amazon ECR
You can add tags to a private repository.
For information about names and best practices for tags, see [Tag naming limits and requirements](https://docs.aws.amazon.com//tag-editor/latest/userguide/tagging.html#tag-conventions) and [Best practices](https://docs.aws.amazon.com//tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging AWS Resources User Guide*.
## Adding tags to a repository (AWS Management Console)
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/](https://console.aws.amazon.com/ecr/).
1. From the navigation bar, select the region to use.
1. In the navigation pane, choose **Repositories**.
1. On the **Repositories** page, select the check box next to the repository you want to tag.
1. From the **Action** menu, select **Repository tags**.
1. On the **Repository tags** page, select **Add tags**, **Add tag**.
1. On the **Edit repository tags** page, specify the key and value for each tag, and then choose **Save**.
## Adding tags to a repository (AWS CLI or API)
You can add or overwrite one or more tags by using the AWS CLI or an API.
+ AWS CLI - [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/ecr/tag-resource.html)
+ API action - [TagResource](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_TagResource.html)
The following examples show how to add tags using the AWS CLI.
**Example 1: Tag a repository**
The following command tags a repository.
```
aws ecr tag-resource \
--resource-arn arn:aws:ecr:region:account_id:repository/repository_name \
--tags Key=stack,Value=dev
```
**Example 2: Tag a repository with multiple tags**
The following command adds three tags to a repository.
```
aws ecr tag-resource \
--resource-arn arn:aws:ecr:region:account_id:repository/repository_name \
--tags Key=key1,Value=value1 Key=key2,Value=value2 Key=key3,Value=value3
```
**Example 3: List tags for a repository**
The following command lists the tags associated with a repository.
```
aws ecr list-tags-for-resource \
--resource-arn arn:aws:ecr:region:account_id:repository/repository_name
```
**Example 4: Create a repository and add a tag**
The following command creates a repository named `test-repo` and adds a tag with key `team` and value `devs`.
```
aws ecr create-repository \
--repository-name test-repo \
--tags Key=team,Value=devs
```
# Deleting tags from a private repository in Amazon ECR
You can delete tags from a private repository.
## To delete a tag from a private repository (AWS Management Console)
1. Open the Amazon ECR console at [https://console.aws.amazon.com/ecr/](https://console.aws.amazon.com/ecr/).
1. From the navigation bar, select the region to use.
1. On the **Repositories** page, select the check box next to the repository you want to remove a tag from.
1. From the **Action** menu, select **Repository tags**.
1. On the **Repository tags** page, select **Edit**.
1. On the **Edit repository tags** page, select **Remove** for each tag you want to delete, and choose **Save**.
## To delete a tag from a private repository (AWS CLI)
You can delete one or more tags by using the AWS CLI or an API.
+ AWS CLI - [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/ecr/untag-resource.html)
+ API action - [UntagResource](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_UntagResource.html)
The following example shows how to delete a tag from a repository using the AWS CLI.
```
aws ecr untag-resource \
--resource-arn arn:aws:ecr:region:account_id:repository/repository_name \
--tag-keys tag_key
```