I would like to be able to delete an ECR image tag but without deleting the underlying image itself. The use case is a temporary tag that was used just to push an image, which was then referenced as part of a manifest list, and needs to be subsequently deleted.
I found Remove tag from image however in this case that doesn't help. The batch-delete-image operation sometimes just deletes a tag (if the image has multiple tags), or tries to delete the image itself if it only has that one tag.
If that image is referenced as part of a manifest list then the operation fails:
$ aws ecr-public batch-delete-image --region=$REGION --repository-name $REPO --image-ids imageTag=TEMP
2{
3 "imageIds": [],
4 "failures": [
5 {
6 "imageId": {
7 "imageTag": "TEMP"
8 },
9 "failureCode": "ImageReferencedByManifestList",
10 "failureReason": "Requested image referenced by manifest list: [sha256:f0446c2685b48eedefa1a90085c513ddae548226b087fa3a7ced8f94cf4aff70]"
11 }
12 ]
13}
After contacting Amazon support I was told that the only workaround for this limitation is to push some random image to the temporary tag (I used busybox), and then use the batch-delete-image operation to delete the tag, like this:
$ docker pull busybox
$ docker tag busybox public.ecr.aws/$REPO:TEMP
$ docker push public.ecr.aws/$REPO:TEMP
$ aws ecr-public batch-delete-image --region=$REGION --repository-name $REPO --image-ids imageTag=TEMP
I can't help but think that this situation reveals a design flaw in ECR though, since the manifest list reference is all that is needed to keep the image alive in the registry. ECR seems to treat tags as a property of an image rather than as a standalone pointer to an image.
EDIT: I filed an issue for this: https://github.com/aws/containers-roadmap/issues/1567