ECR / Client / get_authorization_token



Retrieves an authorization token. An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to. The authorization token is valid for 12 hours.

The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. The CLI offers an get-login-password command that simplifies the login process. For more information, see Registry authentication in the Amazon Elastic Container Registry User Guide.

See also: AWS API Documentation

Request Syntax

response = client.get_authorization_token(

registryIds (list) –

A list of Amazon Web Services account IDs that are associated with the registries for which to get AuthorizationData objects. If you do not specify a registry, the default registry is assumed.

  • (string) –

Return type:



Response Syntax

    'authorizationData': [
            'authorizationToken': 'string',
            'expiresAt': datetime(2015, 1, 1),
            'proxyEndpoint': 'string'

Response Structure

  • (dict) –

    • authorizationData (list) –

      A list of authorization token data objects that correspond to the registryIds values in the request.

      • (dict) –

        An object representing authorization data for an Amazon ECR registry.

        • authorizationToken (string) –

          A base64-encoded string that contains authorization data for the specified Amazon ECR registry. When the string is decoded, it is presented in the format user:password for private registry authentication using docker login.

        • expiresAt (datetime) –

          The Unix time in seconds and milliseconds when the authorization token expires. Authorization tokens are valid for 12 hours.

        • proxyEndpoint (string) –

          The registry URL to use for this authorization token in a docker login command. The Amazon ECR registry URL format is For example,