what iam policies are requried to run ecr commands on ec2 instance that has assumed a role?
AmazonEC2ContainerRegistryFullAccess
applies only to private ECR. You are trying to use ecr-public
. This means you have to create your own policy which allows ecr-public:CreateRepository
(not ecr:CreateRepository
).