Describe the bug

When using a cross-account secret for the registry, the grants do not apply the policy to the principal's (execution role) inline policy.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The inline execution role policy should have policy attached.

Current Behavior

Inline policy is not working.

Reproduction Steps

1. Create a secret from attributes (Secret.fromSecretAttributes)
2. Pass the secret to container definition.

const credentials = Secret.fromSecretAttributes(this, "DockerHubCredentials", {
    encryptionKey: '...',
    secretCompleteArn: '...',
  });

taskDefinition.addContainer("nginx", {
  image: ContainerImage.fromRegistry("nginx:latest", {
    credentials,
  }),
});

Possible Solution

No response

Additional Information/Context

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html#task-execution-private-auth

AWS CDK Library version (aws-cdk-lib)

2.202.0

AWS CDK CLI version

2.1019.2

Node.js Version

v22.12.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response