How to delete untagged images from AWS ECR Container Registry

Question

When pushing images to Amazon ECR, if the tag already exists within the repo the old image remains within the registry but goes in an untagged state.

So if i docker

Answer 1

Now, that ECR support lifecycle policies (https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html) you can use it to delete the untagged images automatically.

Setting up a lifecycle policy preview using the console

Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.

From the navigation bar, choose the region that contains the repository on which to perform a lifecycle policy preview.

In the navigation pane, choose Repositories and select a repository.

On the All repositories: repository_name page, choose Dry-Run Lifecycle Rules, Add.

Enter the following details for your lifecycle policy rule:

For Rule Priority, type a number for the rule priority.

For Rule Description, type a description for the lifecycle policy rule.

For Image Status, choose either Tagged or Untagged.

If you specified Tagged for Image Status, then for Tag Prefix List, you can optionally specify a list of image tags on which to take action with your lifecycle policy. If you specified Untagged, this field must be empty.

For Match criteria, choose values for Count Type, Count Number, and Count Unit (if applicable).

Choose Save

Create additional lifecycle policy rules by repeating steps 5–7.

To run the lifecycle policy preview, choose Save and preview results.

Under Preview Image Results, review the impact of your lifecycle policy preview.

If you are satisfied with the preview results, choose Apply as lifecycle policy to create a lifecycle policy with the specified rules.

From here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/lpp_creation.html

Answer 2

Setting a Lifecycle policy is definitely the best way of managing this. That being said - if you do have a bunch of images that you want to delete keep in mind that the max for batch-delete-images is 100. So you need to do this is for the number of untagged images is greater than 100:

IMAGES_TO_DELETE=$( aws ecr list-images --repository-name $ECR_REPO --filter "tagStatus=UNTAGGED" --query 'imageIds[0:100]' --output json )
echo $IMAGES_TO_DELETE | jq length # Gets the number of results
aws ecr batch-delete-image --repository-name $ECR_REPO --image-ids "$IMAGES_TO_DELETE" --profile qa || true

Answer 3

I actually forged a one line solution using aws cli

aws ecr describe-repositories --output text | awk '{print $5}' | while read line; do  aws ecr list-images --repository-name $line --filter tagStatus=UNTAGGED --query 'imageIds[*]' --output text | while read imageId; do aws ecr batch-delete-image --repository-name $line --image-ids imageDigest=$imageId; done; done

What it's doing is:

• get all repositories
• for each repository give me all images with tagStatus=UNTAGGED
• for each image+repo issue a batch-delete-image

Answer 4

You can delete all images in a single request, without loops:

IMAGES_TO_DELETE=$( aws ecr list-images --region $ECR_REGION --repository-name $ECR_REPO --filter "tagStatus=UNTAGGED" --query 'imageIds[*]' --output json )

aws ecr batch-delete-image --region $ECR_REGION --repository-name $ECR_REPO --image-ids "$IMAGES_TO_DELETE" || true

First it gets a list of images that are untagged, in json format:

[ {"imageDigest": "sha256:..."}, {"imageDigest": "sha256:..."}, ... ]

Then it sends that list to batch-image-delete.

The last || true is required to avoid an error code when there are no untagged images.