Run Docker image in private repo as AWS Batch Job: CannotPullImageManifestError. 403 Forbidden

Question

I want to demonstrate a simple test image, hosted in a self-hosted JFrog Artifactory Docker repository, running as an AWS Batch Job. Obviously, using Amazon ECR would be easier, but my employer wants to use Artifactory.

First, just run it locally, after I've done docker login. This works correctly as expected:

docker run --rm -it --name demo "$REPO_NAME"/"$IMAGE_NAME":latest

I setup a repository credential secret as specified in the docs (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html):

aws secretsmanager get-secret-value \
    --secret-id $REPO_CRED_SECRET_ARN \
    | jq '.SecretString | fromjson'

{
  "username": "<redacted>",
  "password": "<redacted>"
}

I register my job definition

aws --profile power batch register-job-definition \
    --job-definition-name demo-job-definition \
    --type container \
    --container-properties '{
        "image": "'$REPO_NAME'/'$IMAGE_NAME':latest",
        "executionRoleArn": "'$EXECUTION_ROLE_ARN'",
        "vcpus": 1,
        "memory": 1024,
        "repositoryCredentials": { "credentialsParameter": "'$REPO_CRED_SECRET_ARN'" }
    }' \
    | jq '.'

submit the job:

aws --profile power batch submit-job \
    --job-name test-job \
    --job-queue $JOB_QUEUE_ARN \
    --job-definition $JOB_DEFINITION_ARN \
    | jq '.'

Wait a few minutes and I get a CannotPullImageManifestError 403 Forbidden error:

aws --profile power batch describe-jobs \
    --jobs b6c6f3a0-6d77-44f2-b820-e917c3faed3f \
    | jq -r '.jobs[0].container.reason'

CannotPullImageManifestError: Error response from daemon: denied: <html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.3</center>
</body>
</html>

I'm sure my repository username+password are correct.

Any ideas on what is wrong or what I can do to troubleshoot further?