Right, so you’ve built a container image. It’s a beautiful, perfect little snowflake of an application, and you want to share it with the world. Or maybe just your friend Dave. You could push it to Docker Hub, but then you’re managing yet another account, another set of credentials, and you’re subject to their rate limits. Or, you could use the registry you’re already using for your private stuff—Amazon ECR—but make it public. Enter the ECR Public Gallery, AWS’s answer to the public container registry space.

Here’s the beautiful part: you don’t need to be authenticated to pull from it. Anyone, anywhere, with a docker pull command can grab your image. This is fantastic for open-source projects, public tools, or that silly side project where you containerized a script that generates pictures of cats wearing hats. The magic that makes this work is an AWS-managed public repository that sits alongside the standard private ones, and it handles all the anonymous pull traffic for you, no IAM roles or secret keys required.

The Almighty URI and The public Keyword

This is the first “gotcha” and it’s a big one. The URI for your public repository is completely different from your private one. You don’t just flip a public switch on your existing repo. Private ECR lives under a domain like 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app. Public ECR, however, lives in its own special neighborhood:

public.ecr.aws/your-namespace/your-repo

Notice two key changes:

  1. The domain is public.ecr.aws, not your account-specific endpoint.
  2. There’s a your-namespace segment. This is a globally unique name you choose, often your organization or project name (e.g., aws, hashicorp, my-cool-project). You can’t just use any name; you have to claim it first in the ECR Public console.

Trying to push a public image to your private ECR URI (or vice versa) is a classic facepalm moment that will result in an authentication error or a “repository not found” message. I’ve done it. You’ll do it. We all do it. Just remember: public.ecr.aws is the address for the party.

Pushing to a Public Repository: A Practical Guide

Let’s say you want to publish an image for hat-cat-generator. First, you need to create the public repository and claim your namespace. You do this in the ECR Public console, not the regular ECR console. Once that’s done, you can push to it. The process is almost identical to private ECR, but with a crucial first step: you must authenticate your Docker client to the public registry separately.

The get-login-password command for public ECR uses a different registry ID (aws). This tells the auth system you’re talking to the public gallery.

# Authenticate Docker to the ECR Public registry
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

# Build and tag your image. NOTE THE URI!
docker build -t hat-cat-generator:latest .
docker tag hat-cat-generator:latest public.ecr.aws/your-namespace/hat-cat-generator:latest

# Push it live
docker push public.ecr.aws/your-namespace/hat-cat-generator:latest

Why is the region hard-coded to us-east-1? It’s a bit absurd, I know. The ECR Public backend infrastructure is global, but the API endpoint you call to authenticate just happens to be hosted only in us-east-1. It’s one of those AWS quirks you learn to accept. Just always use --region us-east-1 with ecr-public commands and you’ll be fine.

Pulling: The Beautiful, Anonymous Part

This is the payoff. Anyone can now pull your image without any AWS credentials whatsoever. The whole point.

# Anyone, on any machine, anywhere can just run:
docker pull public.ecr.aws/your-namespace/hat-cat-generator:latest

No aws configure, no IAM roles, no secrets. It just works. This is why it’s a fantastic tool for public distribution.

The Fine Print: Costs and Limitations

Nothing this convenient is completely free, and AWS’s designers put some… interesting choices in here.

  1. Pricing: Pulling from ECR Public is free for the first 500 GB/month. After that, it’s competitively priced. The real cost is for pushing and storing. storing a public image costs $0.09 per GB-month in us-east-1, and data transfer out (the pulls) is billed on a tiered basis. This is often more expensive than Docker Hub’s free tier for personal accounts. You’re paying for the deep integration with the AWS ecosystem and the reliability.
  2. The “Always On” ACL: When you create a public repository, its permissions are set to allow all anonymous pull traffic. You can’t make a public repository private later. You can only delete it. Think carefully before you push.
  3. Rate Limiting: Anonymous pulls are subject to throttling. It’s fairly generous, but if you’re expecting your image to be pulled thousands of times per minute, you might hit limits. For most use cases, it’s a non-issue.
  4. Replication Limitation: This is the big one. While private ECR can replicate images across regions for resilience and performance, public repositories are only stored in a single region. You choose this region during setup (us-east-1 is the default and usually the right choice). All that global pull traffic is served from that one region. It’s a potential single point of failure and can add latency for users on the other side of the planet. It’s a trade-off for simplicity of management.

So, should you use it? If you’re all-in on AWS and value having your public and private registry management in one place (the AWS console), it’s a brilliant tool. If you’re purely cost-driven for a low-traffic project, Docker Hub might still win. But for a robust, AWS-native solution that “just works” without forcing your users to authenticate, ECR Public is an incredibly powerful option. Just watch that URI. Seriously.