2025/11/21 - Amazon Elastic Container Registry - 4 new api methods
Changes Add support for ECR managed signing
Returns the signing status for a specified image. If the image matched signing rules that reference different signing profiles, a status is returned for each profile.
For more information, see Managed signing in the Amazon Elastic Container Registry User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_image_signing_status(
repositoryName='string',
imageId={
'imageDigest': 'string',
'imageTag': 'string'
},
registryId='string'
)
string
[REQUIRED]
The name of the repository that contains the image.
dict
[REQUIRED]
An object containing identifying information for an image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
string
The Amazon Web Services account ID associated with the registry that contains the repository. If you do not specify a registry, the default registry is assumed.
dict
Response Syntax
{
'repositoryName': 'string',
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'registryId': 'string',
'signingStatuses': [
{
'signingProfileArn': 'string',
'failureCode': 'string',
'failureReason': 'string',
'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED'
},
]
}
Response Structure
(dict) --
repositoryName (string) --
The name of the repository.
imageId (dict) --
An object with identifying information for the image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
registryId (string) --
The Amazon Web Services account ID associated with the registry.
signingStatuses (list) --
A list of signing statuses for the specified image. Each status corresponds to a signing profile.
(dict) --
The signing status for an image. Each status corresponds to a signing profile.
signingProfileArn (string) --
The ARN of the Amazon Web Services Signer signing profile used to sign the image.
failureCode (string) --
The failure code, which is only present if status is FAILED.
failureReason (string) --
A description of why signing the image failed. This field is only present if status is FAILED.
status (string) --
The image's signing status. Possible values are:
IN_PROGRESS - Signing is currently in progress.
COMPLETE - The signature was successfully generated.
FAILED - Signing failed. See failureCode and failureReason for details.
Retrieves the registry's signing configuration, which defines rules for automatically signing images using Amazon Web Services Signer.
For more information, see Managed signing in the Amazon Elastic Container Registry User Guide.
See also: AWS API Documentation
Request Syntax
client.get_signing_configuration()
dict
Response Syntax
{
'registryId': 'string',
'signingConfiguration': {
'rules': [
{
'signingProfileArn': 'string',
'repositoryFilters': [
{
'filter': 'string',
'filterType': 'WILDCARD_MATCH'
},
]
},
]
}
}
Response Structure
(dict) --
registryId (string) --
The Amazon Web Services account ID associated with the registry.
signingConfiguration (dict) --
The registry's signing configuration.
rules (list) --
A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.
(dict) --
A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.
signingProfileArn (string) --
The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.
repositoryFilters (list) --
A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule's signing profile. Maximum of 100 filters per rule.
(dict) --
A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.
filter (string) --
The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.
Examples:
myapp/* - Matches all repositories starting with myapp/
*/production - Matches all repositories ending with /production
*prod* - Matches all repositories containing prod
filterType (string) --
The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.
Deletes the registry's signing configuration. Images pushed after deletion of the signing configuration will no longer be automatically signed.
For more information, see Managed signing in the Amazon Elastic Container Registry User Guide.
See also: AWS API Documentation
Request Syntax
client.delete_signing_configuration()
dict
Response Syntax
{
'registryId': 'string',
'signingConfiguration': {
'rules': [
{
'signingProfileArn': 'string',
'repositoryFilters': [
{
'filter': 'string',
'filterType': 'WILDCARD_MATCH'
},
]
},
]
}
}
Response Structure
(dict) --
registryId (string) --
The Amazon Web Services account ID associated with the registry.
signingConfiguration (dict) --
The registry's deleted signing configuration.
rules (list) --
A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.
(dict) --
A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.
signingProfileArn (string) --
The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.
repositoryFilters (list) --
A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule's signing profile. Maximum of 100 filters per rule.
(dict) --
A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.
filter (string) --
The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.
Examples:
myapp/* - Matches all repositories starting with myapp/
*/production - Matches all repositories ending with /production
*prod* - Matches all repositories containing prod
filterType (string) --
The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.
Creates or updates the registry's signing configuration, which defines rules for automatically signing images with Amazon Web Services Signer.
For more information, see Managed signing in the Amazon Elastic Container Registry User Guide.
See also: AWS API Documentation
Request Syntax
client.put_signing_configuration(
signingConfiguration={
'rules': [
{
'signingProfileArn': 'string',
'repositoryFilters': [
{
'filter': 'string',
'filterType': 'WILDCARD_MATCH'
},
]
},
]
}
)
dict
[REQUIRED]
The signing configuration to assign to the registry.
rules (list) -- [REQUIRED]
A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.
(dict) --
A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.
signingProfileArn (string) -- [REQUIRED]
The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.
repositoryFilters (list) --
A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule's signing profile. Maximum of 100 filters per rule.
(dict) --
A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.
filter (string) -- [REQUIRED]
The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.
Examples:
myapp/* - Matches all repositories starting with myapp/
*/production - Matches all repositories ending with /production
*prod* - Matches all repositories containing prod
filterType (string) -- [REQUIRED]
The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.
dict
Response Syntax
{
'signingConfiguration': {
'rules': [
{
'signingProfileArn': 'string',
'repositoryFilters': [
{
'filter': 'string',
'filterType': 'WILDCARD_MATCH'
},
]
},
]
}
}
Response Structure
(dict) --
signingConfiguration (dict) --
The registry's updated signing configuration.
rules (list) --
A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.
(dict) --
A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.
signingProfileArn (string) --
The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.
repositoryFilters (list) --
A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule's signing profile. Maximum of 100 filters per rule.
(dict) --
A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.
filter (string) --
The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.
Examples:
myapp/* - Matches all repositories starting with myapp/
*/production - Matches all repositories ending with /production
*prod* - Matches all repositories containing prod
filterType (string) --
The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.