Lightsail push error – image tag already exists and is immutable

The error you're encountering is due to the immutable tag setting in your Lightsail container service. This setting prevents overwriting existing image tags, which is a security feature to ensure version consistency and prevent potential attacks.

To resolve this issue and successfully push new images, you can try the following approaches:

1. Use unique tags: Instead of using a static tag, consider using unique tags for each new image version. You could incorporate a timestamp, build number, or git commit hash into your tag. For example:

   aws lightsail push-container-image
   --service-name grati
   --label client-01-$(date +%Y%m%d%H%M%S)
   --image grati/client

2. Update your workflow: Ensure that you're using a new, unique label each time you push an image. The label is part of the image name generated by Lightsail, so using a new label will create a new image rather than trying to overwrite an existing one.

3. Delete old images: If you're running into storage limits, you may need to delete old, unused images before pushing new ones. However, be cautious not to delete images that are currently in use by your deployments.

4. Review your container service settings: Check if there's an option to change the tag mutability setting for your Lightsail container service. However, keeping tags immutable is generally recommended for security reasons.

Remember, using immutable tags is a best practice in container management. It ensures that each image version remains distinct and prevents accidental or malicious overwriting of existing images. By adapting your workflow to use unique labels or tags for each push, you can maintain this security feature while still updating your images as needed.
Sources
Push, view, and delete container images for a Lightsail container service - Amazon Lightsail
Task and container security - Amazon Elastic Container Service

Thank you, but despite using a unique label with a timestamp: aws lightsail push-container-image
--service-name grati
--label client-$(date +%Y%m%d%H%M%S)
--image grati/client

I still encountered the same error: error from registry: The image tag '[...]' already exists in the 'sr' repository and cannot be overwritten because the tag is immutable.

It seems that even with a unique label it doesn't work. I’d appreciate any guidance on how to proceed!

Hello.

I wasn't able to reproduce the error in my AWS account, but how about changing the container image tag as shown below before pushing?

docker tag grati/client:latest grati/client:2

Hi Riku,

Thank you for the suggestion. I tried it, but unfortunately, I'm still encountering the same error