diff --git a/install/aws-full-terraform/modules/registry/main.tf b/install/aws-full-terraform/modules/registry/main.tf
index e28beba7d51614..d6502fda9c08c4 100644
--- a/install/aws-full-terraform/modules/registry/main.tf
+++ b/install/aws-full-terraform/modules/registry/main.tf
@@ -66,6 +66,36 @@ EOF
   role   = var.worker_iam_role_name
 }
 
+resource "aws_iam_user_policy" "gitpod_registry" {
+  name = "${var.project.name}-user-registry"
+
+  policy = <<-EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:*",
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:BatchGetImage",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:GetAuthorizationToken"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+  user   = aws_iam_user.gitpod_registry.name
+}
 
 data "aws_ecr_authorization_token" "gitpod_registry" {
   registry_id = aws_ecr_repository.gitpod_registry.registry_id
@@ -119,6 +149,33 @@ resource "aws_iam_access_key" "gitpod_registry" {
   user = aws_iam_user.gitpod_registry.name
 }
 
+resource "kubernetes_cluster_role" "regenerate-ecr-role" {
+  metadata {
+    name = "regenerate-ecr-role"
+  }
+  rule {
+    api_groups = [""]
+    resources = ["secrets", "serviceaccounts"]
+    verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "regenerate-ecr-role-binding" {
+  metadata {
+    name = "regenerate-ecr-role-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "regenerate-ecr-role"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    namespace = "default"
+  }
+}
+
 data "template_file" "ecr_regeneration_script" {
     template = file("${path.module}/template/regenerate-ecr.tpl")
     vars = {
diff --git a/install/aws-full-terraform/modules/registry/templates/regenerate-ecr.tpl b/install/aws-full-terraform/modules/registry/templates/regenerate-ecr.tpl
index 825ed46db3678a..290cd0745e6f60 100644
--- a/install/aws-full-terraform/modules/registry/templates/regenerate-ecr.tpl
+++ b/install/aws-full-terraform/modules/registry/templates/regenerate-ecr.tpl
@@ -1,18 +1,18 @@
 #!/bin/bash
 
 # Set the AWS auth environment variables
-AWS_DEFAULT_REGION=${region}
-AWS_SECRET_ACCESS_KEY=${secret_key}
-AWS_ACCESS_KEY_ID=${access_key}
+export AWS_DEFAULT_REGION=${region}
+export AWS_SECRET_ACCESS_KEY=${secret_key}
+export AWS_ACCESS_KEY_ID=${access_key}
 
-# Generate the auth token from the aws account 
-TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
+# Generate the auth token from the aws account
+export TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
 
 # Delete the original secret
 kubectl delete secret --ignore-not-found ${secret_name}
 
 # Generate the new docker registry auth config
-CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}\n'
+CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}'
 UPDATEDCONFIG=$(printf "$CONFIGJSON" "${host}" "$TOKEN")
 echo $UPDATEDCONFIG > /tmp/config.json
 
diff --git a/install/aws-terraform/modules/registry/main.tf b/install/aws-terraform/modules/registry/main.tf
index 27f3ca17bb375e..d6502fda9c08c4 100644
--- a/install/aws-terraform/modules/registry/main.tf
+++ b/install/aws-terraform/modules/registry/main.tf
@@ -66,6 +66,36 @@ EOF
   role   = var.worker_iam_role_name
 }
 
+resource "aws_iam_user_policy" "gitpod_registry" {
+  name = "${var.project.name}-user-registry"
+
+  policy = <<-EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:*",
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:BatchGetImage",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:GetAuthorizationToken"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+  user   = aws_iam_user.gitpod_registry.name
+}
 
 data "aws_ecr_authorization_token" "gitpod_registry" {
   registry_id = aws_ecr_repository.gitpod_registry.registry_id
@@ -107,7 +137,7 @@ data "template_file" "gitpod_registry_values" {
   }
 }
 
-esource "aws_iam_user" "gitpod_registry" {
+resource "aws_iam_user" "gitpod_registry" {
   name = "${var.project.name}-registry"
 
   tags = {
@@ -119,6 +149,33 @@ resource "aws_iam_access_key" "gitpod_registry" {
   user = aws_iam_user.gitpod_registry.name
 }
 
+resource "kubernetes_cluster_role" "regenerate-ecr-role" {
+  metadata {
+    name = "regenerate-ecr-role"
+  }
+  rule {
+    api_groups = [""]
+    resources = ["secrets", "serviceaccounts"]
+    verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "regenerate-ecr-role-binding" {
+  metadata {
+    name = "regenerate-ecr-role-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "regenerate-ecr-role"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    namespace = "default"
+  }
+}
+
 data "template_file" "ecr_regeneration_script" {
     template = file("${path.module}/template/regenerate-ecr.tpl")
     vars = {
@@ -159,4 +216,3 @@ resource "kubernetes_cron_job" "ecr_regeneration_cron" {
     }
   }
 }
-
diff --git a/install/aws-terraform/modules/registry/templates/regenerate-ecr.tpl b/install/aws-terraform/modules/registry/templates/regenerate-ecr.tpl
index 825ed46db3678a..48e64b1891af74 100644
--- a/install/aws-terraform/modules/registry/templates/regenerate-ecr.tpl
+++ b/install/aws-terraform/modules/registry/templates/regenerate-ecr.tpl
@@ -1,18 +1,18 @@
 #!/bin/bash
 
 # Set the AWS auth environment variables
-AWS_DEFAULT_REGION=${region}
-AWS_SECRET_ACCESS_KEY=${secret_key}
-AWS_ACCESS_KEY_ID=${access_key}
+export AWS_DEFAULT_REGION=${region}
+export AWS_SECRET_ACCESS_KEY=${secret_key}
+export AWS_ACCESS_KEY_ID=${access_key}
 
 # Generate the auth token from the aws account 
-TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
+export TOKEN=`aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'`
 
 # Delete the original secret
 kubectl delete secret --ignore-not-found ${secret_name}
 
 # Generate the new docker registry auth config
-CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}\n'
+CONFIGJSON='{"auths": {"%s": {"auth": "%s"}}}'
 UPDATEDCONFIG=$(printf "$CONFIGJSON" "${host}" "$TOKEN")
 echo $UPDATEDCONFIG > /tmp/config.json