> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# circleci/aws-ecr

Build images and push them to the Amazon Elastic Container Registry.


## Commands

### build_and_push_image

Log into Amazon ECR, build and push a Docker image to the specified repository. NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS id associated with the ECR account. This field is required
 |
| `attach_workspace` | boolean | false | Boolean for whether or not to attach to an existing workspace. Default is false.
 |
| `auth` | steps |  | The authentication method used to access your AWS account. Import the aws-cli orb in your config and
provide the aws-cli/setup command to authenticate with your preferred method. View examples for more information.
 |
| `aws_domain` | string | amazonaws.com | The AWS domain for your region, e.g in China, the AWS domain is amazonaws.com.cn The default value is amazonaws.com
 |
| `binfmt_version` | string | qemu-v7.0.0-28 | The version to use for binfmt image.
The binfmt image is used to emulate multiple architectures when building multiplatform images.
Defaults to qemu-v7.0.0-28, change only if you know what you are doing.
See https://hub.docker.com/r/tonistiigi/binfmt for details.
 |
| `build_path` | string | . | Path to the directory containing your build context. Defaults to . (working directory). |
| `checkout` | boolean | true | Boolean for whether or not to checkout as a first step. Default is true.
 |
| `container_registry_login` | boolean | false | Enable login to different image container registries such as DockerHub, Heroku or Github. Defaults to false. |
| `create_repo` | boolean | false | Should the repo be created if it does not exist? |
| `dockerfile` | string | Dockerfile | Name of dockerfile to use. Defaults to Dockerfile. |
| `extra_build_args` | string |  | Extra flags to pass to docker build. This parameter accepts multi-line arguments. If your argument spans multiple lines, please use the Folded Block Style denoted by `>-` (e.g. extra_build_args: >-). For examples of available flags, see https://docs.docker.com/engine/reference/commandline/buildx_build
 |
| `lifecycle_policy_path` | string |  | The path to the .json file containing the lifecycle policy to be applied to a specified repository in AWS ECR.
 |
| `no_output_timeout` | string | 10m | The amount of time to allow the docker build command to run before timing out (default is `10m`)
 |
| `path` | string | . | Path to the directory containing your Dockerfile. Defaults to . (working directory). |
| `platform` | string | linux/amd64 | Platform targets for the docker image, multi arch images. Ex. linux/amd64,linux/arm64 |
| `profile_name` | string | default | AWS profile name to be configured. |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR.
 |
| `public_registry_alias` | string | ${AWS_ECR_PUBLIC_REGISTRY_ALIAS} | The public registry alias for your public repositories. This parameter is required if pushing to a public repository It can be found in the Amazon ECR console > Public Registries.
 |
| `push_image` | boolean | true | Set to false to build an image without pushing to repository.  Defaults to true. |
| `region` | string | ${AWS_DEFAULT_REGION} | Name of env var storing your AWS region information, defaults to AWS_DEFAULT_REGION
 |
| `registry_login` | steps | [object Object],[object Object] | Custom container registry login step e.g docker -u $DOCKER_ID -p $DOCKER_PASSWORD |
| `remote_docker_layer_caching` | boolean | false | Enable Docker layer caching if using remote Docker engine. Defaults to false. For more information about docker_layer_caching go to https://circleci.com/docs/guides/optimize/docker-layer-caching/
 |
| `remote_docker_version` | string |  | Specific remote docker version |
| `repo` | string |  | Name of an Amazon ECR repository |
| `repo_encryption_kms_key` | string |  | If you use the KMS encryption type, specify the KMS key to use for encryption. The alias, key ID, or full ARN of the KMS key can be specified.
 |
| `repo_encryption_type` | enum | AES256 | The encryption type to use. |
| `repo_image_tag_exclusion_filters` | string |  | Comma-separated list of tag filters to exclude from the mutability setting (e.g., 'latest,dev-*'). Only used with IMMUTABLE_WITH_EXCLUSION. Each filter will be applied as a WILDCARD type filter.
 |
| `repo_image_tag_mutability` | enum | MUTABLE | The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten. If IMMUTABLE_WITH_EXCLUSION is specified, all tags within the repository will be immutable except for tags matching the filters specified in image_tag_exclusion_filters.
 |
| `repo_policy_path` | string |  | The path to the .json file containing the repository policy to be applied to a specified repository in AWS ECR.
 |
| `repo_scan_on_push` | boolean | true | Should the created repo be security scanned on push? |
| `repo_tag` | string |  | A list of strings in json format, containing tags for repository.
Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
 |
| `set_repo_policy` | boolean | false | Should a repository policy be set? |
| `setup_remote_docker` | boolean | false | Setup and use CircleCI's remote Docker environment for Docker and docker-compose commands? Not required if using the default executor
 |
| `skip_when_tags_exist` | boolean | false | Whether to skip image building if all specified tags already exist in ECR |
| `tag` | string | latest | A comma-separated string containing docker image tags to build and push (default = latest)
 |
| `use_credentials_helper` | boolean | true | When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible.
 |
| `workspace_root` | string | . | Workspace root path that is either an absolute path or a path relative to the working directory. Defaults to '.' (the working directory)
 |

### build_image

Build a Docker image with docker buildx. NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS Account ID associated with the ECR account. This field is required
 |
| `aws_domain` | string | amazonaws.com | The AWS domain for your region, e.g in China, the AWS domain is amazonaws.com.cn The default value is amazonaws.com
 |
| `binfmt_version` | string | qemu-v7.0.0-28 | The version to use for binfmt image.
The binfmt image is used to emulate multiple architectures when building multiplatform images.
Defaults to qemu-v7.0.0-28, change only if you know what you are doing.
See https://hub.docker.com/r/tonistiigi/binfmt for details.
 |
| `build_path` | string | . | Path to the directory containing your build context. Defaults to . (working directory). |
| `dockerfile` | string | Dockerfile | Name of dockerfile to use. Defaults to Dockerfile. |
| `extra_build_args` | string |  | Extra flags to pass to docker build. This parameter accepts multi-line arguments. If your argument spans multiple lines, please use the Folded Block Style denoted by `>-` (e.g. extra_build_args: >-). For examples of available flags, see https://docs.docker.com/engine/reference/commandline/buildx_build
 |
| `lifecycle_policy_path` | string |  | The path to the .json file containing the lifecycle policy to be applied to a specified repository in AWS ECR.

The docker buildx command uses a builder-context to build multi-architecture images simultaneously. In order for
buildx builders to be saved with Docker Layer Caching, the builder must explicitly be named.
Specify the a builder name with this parameter. This parameter defaults to "default-builder" if none is provided.
 |
| `no_output_timeout` | string | 10m | The amount of time to allow the docker command to run before timing out. |
| `path` | string | . | Path to the directory containing your Dockerfile. Defaults to . (working directory). |
| `platform` | string | linux/amd64 | Platform targets for the docker image, multi arch images. Ex. linux/amd64,linux/arm64. |
| `profile_name` | string | default | AWS profile name to be configured. Only required when skip_when_tags_exist or ecr_login are set to true.
 |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `public_registry_alias` | string | ${AWS_ECR_PUBLIC_REGISTRY_ALIAS} | The public registry alias for your public repositories. This parameter is required if pushing to a public repository It can be found in the Amazon ECR console > Public Registries.
 |
| `push_image` | boolean | true | Set to false to build an image without pushing to repository.  Defaults to true. |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `repo` | string |  | Name of an Amazon ECR repository |
| `skip_when_tags_exist` | boolean | false | Whether to skip image building if all specified tags already exist in ECR |
| `tag` | string | latest | A comma-separated string containing docker image tags (default = latest) |

### create_repo

Create a new AWS ECR repository. NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `encryption_kms_key` | string |  | If you use the KMS encryption type, specify the KMS key to use for encryption. The alias, key ID, or full ARN of the KMS key can be specified.
 |
| `image_tag_exclusion_filters` | string |  | Comma-separated list of tag filters to exclude from the mutability setting (e.g., 'latest,dev-*'). Only used with IMMUTABLE_WITH_EXCLUSION. Each filter will be applied as a WILDCARD type filter.
 |
| `image_tag_mutability` | enum | MUTABLE | The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten. If IMMUTABLE_WITH_EXCLUSION is specified, all tags within the repository will be immutable except for tags matching the filters specified in image_tag_exclusion_filters.
 |
| `profile_name` | string | default | AWS profile name to be configured. |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `repo` | string |  | Name of an Amazon ECR repository |
| `repo_encryption_type` | enum | AES256 | The encryption type to use. |
| `repo_scan_on_push` | boolean | true | Should the created repo be security scanned on push? |
| `repo_tag` | string |  | A list of strings in json format, containing tags for repository. Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
 |

### ecr_login

Authenticate into the Amazon ECR service. This command requires jq. NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS id associated with the ECR account. This field is required
 |
| `aws_domain` | string | amazonaws.com | AWS domain, China regions will require override.
 |
| `profile_name` | string | default | AWS profile name to be used for login.
 |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `use_credentials_helper` | boolean | true | When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible. If you are having issues with credentials helper login, set this to false.
 |

### push_image

Push a container image to the Amazon ECR registry NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS Account ID associated with the ECR account. This field is required
 |
| `aws_domain` | string | amazonaws.com | AWS domain, China regions will require override.
 |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `public_registry_alias` | string | ${AWS_ECR_PUBLIC_REGISTRY_ALIAS} | The public registry alias for your public repositories. This parameter is required if pushing to a public repository It can be found in the Amazon ECR console > Public Registries.
 |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `repo` | string |  | Name of an Amazon ECR repository |
| `tag` | string | latest | A comma-separated string containing docker image tags (default = latest) |

### set_repo_policy

Set a repository policy on an AWS ECR repository NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `profile_name` | string | default | AWS profile name to be configured. |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `repo` | string |  | Name of an Amazon ECR repository |
| `repo_policy_path` | string |  | The path to the .json file containing the repository policy to be applied to a specified repository in AWS ECR.
 |

### tag_image

Add a tag to an existing published image NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string |  | The 12 digit AWS Account ID associated with the ECR account.
 |
| `extra_args` | string |  | Extra flags to pass to AWS CLI. Pass the desired args using an equal sign (=) instead of an space. For example, --arg=ARG1, instead of --arg ARG1.
 |
| `profile_name` | string | default | AWS profile to use |
| `repo` | string |  | Name of an Amazon ECR repository |
| `skip_when_tags_exist` | boolean | false | Whether to skip tagging an image if any specified tags already exist |
| `source_tag` | string |  | An existing Docker image tag |
| `target_tag` | string | latest | A comma-separated string containing docker image tags (default = latest) |

### tag_repo

Add tag to an existing ECR repository


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS id associated with the ECR account. This field is required
 |
| `profile_name` | string | default | AWS profile to use |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `repo` | string |  | Name of an Amazon ECR repository |
| `tag` | string |  | A list of strings in json format, containing tags for repository Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
 |

## Jobs

### build_and_push_image

Log into Amazon ECR and push image to repository. Authentication with OIDC or static AWS keys using the aws-cli/setup command is required. NOTE: Some commands may not work with AWS CLI Version 1.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `account_id` | string | ${AWS_ACCOUNT_ID} | The 12 digit AWS id associated with the ECR account. This field is required
 |
| `attach_workspace` | boolean | false | Boolean for whether or not to attach to an existing workspace. Default is false.
 |
| `auth` | steps |  | The authentication method used to access your AWS account. Import the aws-cli orb in your config and
provide the aws-cli/setup command to authenticate with your preferred method. View examples for more information.
 |
| `aws_domain` | string | amazonaws.com | The AWS domain for your region, e.g in China, the AWS domain is amazonaws.com.cn The default value is amazonaws.com
 |
| `binfmt_version` | string | qemu-v7.0.0-28 | The version to use for binfmt image.
The binfmt image is used to emulate multiple architectures when building multiplatform images.
Defaults to qemu-v7.0.0-28, change only if you know what you are doing.
See https://hub.docker.com/r/tonistiigi/binfmt for details.
 |
| `build_path` | string | . | Path to the directory containing your build context. Defaults to . (working directory). |
| `checkout` | boolean | true | Boolean for whether or not to checkout as a first step. Default is true.
 |
| `container_registry_login` | boolean | false | Enable login to different image container registries such as DockerHub, Heroku or Github. Defaults to false. |
| `create_repo` | boolean | false | Should the repo be created if it does not exist? |
| `dockerfile` | string | Dockerfile | Name of dockerfile to use. Defaults to Dockerfile. |
| `executor` | executor | default | Executor to use for this job.
 |
| `extra_build_args` | string |  | Extra flags to pass to docker build. This parameter accepts multi-line arguments. If your argument spans multiple lines, please use the Folded Block Style denoted by `>-` (e.g. extra_build_args: >-). For examples of available flags, see https://docs.docker.com/engine/reference/commandline/buildx_build
 |
| `lifecycle_policy_path` | string |  | The path to the .json file containing the lifecycle policy to be applied to a specified repository in AWS ECR.
 |
| `no_output_timeout` | string | 10m | The amount of time to allow the docker build command to run before timing out. Defaults to '10m'
 |
| `path` | string | . | Path to the directory containing your Dockerfile. Defaults to . (working directory). |
| `platform` | string | linux/amd64 | Platform targets for the docker image, multi arch images. Ex. linux/amd64,linux/arm64 |
| `profile_name` | string | default | AWS profile name to be configured. |
| `public_registry` | boolean | false | Set to true if building and pushing an image to a Public Registry on ECR. |
| `public_registry_alias` | string | ${AWS_ECR_PUBLIC_REGISTRY_ALIAS} | The public registry alias for your public repositories. This parameter is required if pushing to a public repository It can be found in the Amazon ECR console > Public Registries.
 |
| `push_image` | boolean | true | Set to false to build an image without pushing to repository.  Defaults to true. |
| `region` | string | ${AWS_DEFAULT_REGION} | AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
 |
| `registry_login` | steps | [object Object],[object Object] | Custom container registry login step e.g docker -u $DOCKER_ID -p $DOCKER_PASSWORD |
| `remote_docker_layer_caching` | boolean | false | Enable Docker layer caching if using remote Docker engine. Requires setup_remote_docker to be set to true. Defaults to false. For more information https://circleci.com/docs/guides/optimize/docker-layer-caching/
 |
| `remote_docker_version` | string |  | Specific remote docker version |
| `repo` | string |  | Name of an Amazon ECR repository |
| `repo_encryption_kms_key` | string |  | If you use the KMS encryption type, specify the KMS key to use for encryption. The alias, key ID, or full ARN of the KMS key can be specified.
 |
| `repo_encryption_type` | enum | AES256 | The encryption type to use. |
| `repo_image_tag_mutability` | enum | MUTABLE | The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
 |
| `repo_policy_path` | string |  | The path to the .json file containing the repository policy to be applied to a specified repository in AWS ECR.
 |
| `repo_scan_on_push` | boolean | true | Should the created repo be security scanned on push? |
| `repo_tag` | string |  | A list of strings in json format, containing tags for repository.
Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
 |
| `set_repo_policy` | boolean | false | Should a repository policy be set? |
| `setup_remote_docker` | boolean | false | Setup and use CircleCI's remote Docker environment for Docker and docker-compose commands? Not required if using the default executor
 |
| `skip_when_tags_exist` | boolean | false | Whether to skip image building if all specified tags already exist in ECR |
| `tag` | string | latest | A comma-separated string containing docker image tags to build and push (default = latest) |
| `use_credentials_helper` | boolean | true | When true the authentication to docker registry will be done using the ecr-credential-helper. This avoids having the password saved in plain text. Otherwise it will use the classic docker login command which is more compatible.
 |
| `workspace_root` | string | . | Workspace root path that is either an absolute path or a path relative to the working directory. Defaults to '.' (the working directory)
 |

## Executors

### default

CircleCI's Ubuntu-based machine executor VM: https://circleci.com/docs/2.0/executor-types/#using-machine


| Parameter | Type | Default | Description |
|---|---|---|---|
| `docker_layer_caching` | boolean | false |  |
| `image` | string | ubuntu-2204:current |  |
| `resource_class` | string | medium |  |

## Examples

### build_and_push_image_w_registry_login

In some cases, images being built using the build_and_push_image job need to pull a custom Docker image from a container registry like DockerHub, Heroku or GitHub Container Registry. This requires users to log into these registries first before the images can be built. This is an example of a using the build_and_push_image job with a custom registry login step. NOTE: The container_registry_login parameter must be set to true. Registry usernames and passwords are stored as environment variables in CircleCI with this example.


```yaml
version: '2.1'
orbs:
  aws-cli: circleci/aws-cli@5.1
  aws-ecr: circleci/aws-ecr@9.0
workflows:
  build-and-push-image-with-container-registry-login:
    jobs:
      - aws-ecr/build_and_push_image:
          auth:
            - aws-cli/setup:
                role_arn: arn:aws:iam::123456789012
          container_registry_login: true
          dockerfile: Dockerfile
          path: .
          region: us-west-2
          registry_login:
            - run: docker login -u ${HEROKU_USERNAME} -p ${HEROKU_API_KEY}
            - run: docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN}
            - run: docker login -u ${DOCKERHUB_ID} -p ${DOCKERHUB_PASSWORD}
          repo: my-sample-repo
          tag: sampleTag
```

### build_test_then_push_image

This is an example of a job that builds a docker image with docker buildx. It tests the image and before pushing it to the specified ECR repository. NOTE: The push_image parameter must be set to false. Only one platform can be specified and loaded into the local Docker Daemon. Loading multi-architecture images is not supported at this time.


```yaml
version: '2.1'
orbs:
  aws-cli: circleci/aws-cli@5.1
  aws-ecr: circleci/aws-ecr@9.0
jobs:
  build-test-then-push-with-buildx:
    machine:
      image: ubuntu-2204:current
    steps:
      - aws-ecr/build_and_push_image:
          attach_workspace: true
          auth:
            - aws-cli/setup:
                role_arn: arn:aws:iam::123456789012
          create_repo: true
          dockerfile: Dockerfile
          path: workspace
          platform: linux/amd64
          push_image: false
          region: us-west-2
          repo: my-sample-repo
          tag: sampleTag
          workspace_root: .
      - run:
          command: >
            set -x

            docker run 123456789012.dkr.ecr.us-west-2.amazonaws.com/<<
            parameters.repo >>:<< parameters.tag >> ping -V

            status=$(echo "$?")

            if [ "${status}" != "0" ]; then exit 1; else exit 0; fi

            set +x
          name: Tests for docker image
      - aws-ecr/push_image:
          region: << parameters.region >>
          repo: << parameters.repo >>
          tag: << parameters.tag >>
workflows:
  build-image-test-image-push-image-with-buildx:
    jobs:
      - build-test-then-push-with-buildx:
          context: CircleCI_OIDC_Token
```

### remote_docker_caching

This example shows how to build and push an image using the remote docker and layer caching


```yaml
version: '2.1'
orbs:
  aws-cli: circleci/aws-cli@5.1
  aws-ecr: circleci/aws-ecr@9.0
workflows:
  build-with-cache:
    jobs:
      - aws-ecr/build_and_push_image:
          auth:
            - aws-cli/setup
          docker:
            - image: cimg/python:3.10.4
          remote_docker_layer_caching: true
          repo: ${AWS_RESOURCE_NAME_PREFIX}
          setup_remote_docker: true
          tag: ${CIRCLE_SHA1},latest
```

### simple_build_and_push

Log into AWS, build and push image to Amazon ECR using OIDC for authentication. Import the aws-cli orb and authenticate using the aws-cli/setup command with a valid role-arn for OIDC authentication.


```yaml
version: '2.1'
orbs:
  aws-cli: circleci/aws-cli@5.1
  aws-ecr: circleci/aws-ecr@9.0
workflows:
  build_and_push_image:
    jobs:
      - aws-ecr/build_and_push_image:
          account_id: ${AWS_ACCOUNT_ID}
          auth:
            - aws-cli/setup:
                profile_name: OIDC-USER
                role_arn: arn:aws:iam::123456789012:role/VALID_OIDC_ECR_ROLE
          context: CircleCI_OIDC_Token
          create_repo: true
          dockerfile: myDockerfile
          executor: base
          extra_build_args: '--compress'
          no_output_timeout: 20m
          path: pathToMyDockerfile
          platform: linux/amd64
          profile_name: OIDC-User
          public_registry: false
          push_image: true
          region: ${AWS_DEFAULT_REGION}
          repo: myECRRepository
          repo_encryption_kms_key: arn:aws:kms::123456789012:key/UUID4_OF_KMS_KEY_ID
          repo_encryption_type: KMS
          repo_policy_path: repo-policy.json
          repo_scan_on_push: true
          set_repo_policy: true
          skip_when_tags_exist: false
          tag: latest,myECRRepoTag
```