diff --git a/README.md b/README.md
index f336749..7964925 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ Truefoundry AWS Control Plane Module
 |------|------|
 | [aws_db_instance.truefoundry_db](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/db_instance) | resource |
 | [aws_db_subnet_group.rds](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/db_subnet_group) | resource |
+| [aws_iam_policy.svcfoundry_access_to_ecr](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.svcfoundry_access_to_multitenant_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.svcfoundry_access_to_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.truefoundry_assume_role_all](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
@@ -41,7 +42,7 @@ Truefoundry AWS Control Plane Module
 | [aws_security_group.rds](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/security_group) | resource |
 | [aws_security_group.rds-public](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/security_group) | resource |
 | [random_password.truefoundry_db_password](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
-| [aws_iam_policy.servicefoundry_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.svcfoundry_access_to_ecr](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.truefoundry_assume_role_all](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
diff --git a/iam-ecr.tf b/iam-ecr.tf
new file mode 100644
index 0000000..6f8b30b
--- /dev/null
+++ b/iam-ecr.tf
@@ -0,0 +1,48 @@
+data "aws_iam_policy_document" "svcfoundry_access_to_ecr" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetRegistryPolicy",
+      "ecr:DescribeImageScanFindings",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:CreateRepository",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:DescribeImageReplicationStatus",
+      "ecr:ListTagsForResource",
+      "ecr:BatchGetRepositoryScanningConfiguration",
+      "ecr:GetRegistryScanningConfiguration",
+      "ecr:PutImage",
+      "ecr:BatchGetImage",
+      "ecr:DescribeRepositories",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetRepositoryPolicy",
+      "ecr:GetLifecyclePolicy",
+      "ecr:ListImages",
+      "ecr:InitiateLayerUpload",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
+      "ecr:DeleteRepository",
+      "ecr:UploadLayerPart",
+    ]
+
+    resources = [
+      "arn:aws:ecr:${var.aws_region}:${var.aws_account_id}:repository/tfy-*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:DescribeRegistry",
+      "ecr:GetAuthorizationToken",
+      "sts:GetServiceBearerToken"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "svcfoundry_access_to_ecr" {
+  name_prefix = "${local.svcfoundry_unique_name}-access-to-ecr"
+  description = "ECR access for ${var.svcfoundry_name} on ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.svcfoundry_access_to_ecr.json
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/iam-sa.tf b/iam-sa.tf
index 3d1e278..dadb7ce 100644
--- a/iam-sa.tf
+++ b/iam-sa.tf
@@ -1,9 +1,5 @@
 # From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/irsa/irsa.tf
 
-data "aws_iam_policy" "servicefoundry_ecr_policy" {
-  name = "AmazonEC2ContainerRegistryFullAccess"
-}
-
 module "truefoundry_oidc_iam" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version = "5.39.0"
@@ -21,7 +17,7 @@ module "truefoundry_oidc_iam" {
     aws_iam_policy.svcfoundry_access_to_ssm.arn,
     aws_iam_policy.svcfoundry_access_to_multitenant_ssm.arn,
     aws_iam_policy.truefoundry_assume_role_all.arn,
-    data.aws_iam_policy.servicefoundry_ecr_policy.arn,
+    aws_iam_policy.svcfoundry_access_to_ecr.arn,
     aws_iam_policy.truefoundry_db_iam_auth_policy.arn,
   ]
   tags = local.tags
diff --git a/variables.tf b/variables.tf
index e58b7ca..d9e0866 100644
--- a/variables.tf
+++ b/variables.tf
@@ -248,7 +248,7 @@ variable "mlfoundry_k8s_namespace" {
 }
 
 ##################################################################################
-## Servicefoundry
+## Servicefoundry service account
 ##################################################################################
 
 variable "svcfoundry_name" {