diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf
index f33083c9..a6ff2905 100644
--- a/terragrunt/modules/ci-runners/gh_oidc.tf
+++ b/terragrunt/modules/ci-runners/gh_oidc.tf
@@ -35,3 +35,23 @@ resource "aws_iam_role" "github_actions_ci_role" {
     ]
   })
 }
+
+# Allow GitHub Actions to authenticate to AWS ECR Public Gallery
+resource "aws_iam_role_policy" "github_actions_ecr_policy" {
+  name = "ecr-auth-policy"
+  role = aws_iam_role.github_actions_ci_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr-public:GetAuthorizationToken",
+          "sts:GetServiceBearerToken"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}