无法访问另一个帐户中存在的 ECR 存储库

Question

我正在尝试访问跨账户 ecr 存储库。在 ECR repo(in account1) 权限中我已经设置了这个

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::account2:role/sagemaker-20210223074454252300000002"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchDeleteImage",
        "ecr:BatchGetImage",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ]
    }
  ]
}

然后在 account2 中创建了一个 IAM 角色 arn:aws:iam::account2:role/sagemaker-20210223074454252300000002。

data "aws_iam_policy_document" "sagemaker" {
  statement {
    effect = "Allow"
    actions = [
      "ecr:*"
    ]
    resources = [
      "*",
    ]
  }
}

但是，我仍然无法访问 ecr。收到我没有访问权限的错误消息